Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

clean .trivyignore from issues that are no longer applicable for conjur #2952

Merged
merged 1 commit into from
Sep 13, 2023
Merged

clean .trivyignore from issues that are no longer applicable for conjur #2952

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 0 additions & 97 deletions .trivyignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,97 +0,0 @@
# OpenSSL CVEs
#
# Because of the way OpenSSL 1.0.2 has moved to premium support and our Ubuntu
# base image, trivy flags a number of OpenSSL issues in Conjur because the fix
# for most Ubuntu users is to move to 1.1.1 instead of having the continued support
# in the 1.0.2 line. Additionally, trivy flages 1.0.2zf as vulnerable to issues that
# only affect 1.1.x. As of the time of this writing, we use 1.0.2zf which either
# has the fix or is unaffected by these issues.
CVE-2022-2097
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-23841
CVE-2021-23840
CVE-2021-3712
CVE-2019-1563
CVE-2019-1551
CVE-2019-1549
CVE-2019-1547
CVE-2018-0735
CVE-2018-0734

# NULL pointer deref. OpenSSL 1.0.2 is not impacted
CVE-2021-3449

# We already use a later version than the ones listed as impacted by this
# CVE, so we believe this is just a scanner issue.
CVE-2014-7819

# Rake vulnerability for versions < 12.3.3. The version of Rake used by Conjur
# has been updated to 13.0.1. Some of the Conjur dependencies still declare a
# vulnerable version of Rake in their development dependencies, but do not pose
# a risk to Conjur.
CVE-2020-8130

# Applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake
# may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert"
# TLS extension. this issue was fixed in OpenSSL 1.1.1g
#
# In order to support fips with openssl we are required to downgrading openssl version to 1.0.2 until openssl will
# support fips module in newer versions
# This vulnerability this is not relevant to us as
# 1. The installed version (1.0.2u) does not support 1.3
# 2. Trivy detect the usage of openssl 1.0.2 (can be reproduced with
# docker run -v /var/run/docker.sock:/var/run/docker.sock
# -v $(PWD):/workspace --rm aquasec/trivy -f json -o /workspace/scan_results-conjur-unfixed.json --no-progress
# --ignorefile .trivyignore registry.tld/ruby-fips-base-image-phusion:1.0.0)
#
# Performed by @yahalomk approved by @shaharglazner
CVE-2020-1967

# CVE-2020-1971
# The X.509 GeneralName type is a generic type for representing different types
# of names. One of those name types is known as EDIPartyName. OpenSSL provides a
# function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME
# to see if they are equal or not. This function behaves incorrectly when both
# GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash
# may occur leading to a possible denial of service attack.
# OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes:
#
# 1) Comparing CRL distribution point names between an available CRL and a CRL
# distribution point embedded in an X509 certificate.
#
# 2) When verifying that a timestamp response token signer matches the timestamp
# authority name (exposed via the API functions TS_RESP_verify_response and
# TS_RESP_verify_token) If an attacker can control both items being compared
# then that attacker could trigger a crash.
#
# All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Fixed in OpenSSL
# 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).
#
# In order to support FIPS with OpenSSL we are required to use OpenSSL version
# 1.0.2 until OpenSSL supports the FIPS module in newer versions. The latest
# available version to us is 1.0.2u, which does not include this fix.
#
# We've determined that we are not impacted by this vulnerability because:
# - we do not directly perform CRL checks in the Conjur or DAP software
# - we do not enable automatic CRL checks in openssl tools
# - we do not call any of the impacted OpenSSL APIs or any of the APIs that expose
# impacted behavior.
#
# Performed by @micahlee, approved by @andytinkham
CVE-2020-1971

# CVE-2021-3711
# The vulnerability is not affected Conjur's version of OpenSSL 1.0.2u (https://www.openssl.org/news/secadv/20210824.txt)
# Conjur does not use SM2 algorithm (https://www.openssl.org/docs/manmaster/man7/SM2.html)
CVE-2021-3711

# We have the fix for CVE-2023-0286 in openssl 1.0.2zg, but because OpenSSL 1.0.2
# is only available in premium support, trivy thinks we should use something in the 1.1.1
# line. We can't, due to FIPS compliance, so need to continue to ignore this issue.
CVE-2023-0286

# Scanners pick up this vulnerability in OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1
# however we use ruby 3+ in production so we can safely ignore it.
CVE-2017-14033
Loading