Significant number of critical vulnerabilities reported in dependencies

[slagelwa]

Running trivy against version 0.9.1 reports 25 critical vulnerabilities in dependent libraries used by bpipe.

For example:

• CVE-2017-17485 https://avd.aquasec.com/nvd/cve-2017-17485
• CVE-2016-6809 https://avd.aquasec.com/nvd/cve-2016-6809

Would it be possible to update com.fasterxml.jackson.core:jackson-databind and org.apache.tika:tika-core?

[ssadedin]

thanks @slagelwa - I will see if there is any reason these dependencies were pinned and what we need to do to update them.

[ssadedin]

@slagelwa - any chance you could share the actual command line / configuration you are running with trivy? Will be helpful to check the problem is resolved.

[slagelwa]

Sorry I must have missed the notice on this earlier on this. We're running trivy as part of our CI/CD and the security issues come up on a docker image that we're building for mintie. I can't get you the docker image at the moment, but this is the basic Dockerfile:

FROM mambaorg/micromamba

RUN micromamba install -n base -y -c conda-forge -c bioconda \
       mintie==0.3.9 \
    && micromamba clean --all --yes

There are a couple of ways to run trivy against either the image or within a running container. The options we're using are essentially --no-progress --timeout 10m -s CRITICAL --security-checks vuln.

I also reproduced the following trivy report by starting with an official Ubuntu 22.04 container. I cloned the bpipe repo, built it (somewhat unsuccessfully I'm afraid as some unit tests failed), and then installed and ran trivy:

$ git clone https://github.com/ssadedin/bpipe.git
$ cd bpipe/
$ git checkout 0.9.11
$ ./gradlew  build
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
$ trivy fs --no-progress --timeout 10m -s CRITICAL --security-checks vuln -f json -o report.json .

report.zip