[DOCKER] Check all container image vulnerabilities in private registries with trivy

Yesterday's article Even in tern, cve-bin-tool seems to have a function to compare the container image with CVE database and identify vulnerabilities, but it does not work properly at the moment. Aqua Security's tryvi is a tool that does something similar, including usability, and is vulnerable to use when compared to the CVE database rather than the image license in the repository. Trying to get a sex report.

To be honest, most of the articles were reprinted yesterday.

Docker and private registry setup

The environment is Ubuntu 18.04. OK with Lightsail's $ 3.5 machine.

    1. Set up Docker and Registry.
$ sudo -i
# apt-get update
# apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg-agent \
    software-properties-common
# curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
# apt-get update
# apt-get install docker-ce docker-ce-cli containerd.io
# docker run -d -p 5000:5000 --restart always --name registry registry:2
    1. Push ubuntu, centos, busybox: 1: 23: 2, ubi (8) to your private registry.
# docker pull ubuntu
# docker tag ubuntu localhost:5000/ubuntu
# docker push localhost:5000/ubuntu
# docker rmi ubuntu localhost:5000/ubuntu

# docker pull centos
# docker tag centos localhost:5000/centos
# docker push localhost:5000/centos
# docker rmi centos localhost:5000/centos

# docker pull busybox:1.23.2
# docker tag busybox:1.23.2 localhost:5000/busybox:1.23.2
# docker push localhost:5000/busybox:1.23.2
# docker rmi busybox:1.23.2 localhost:5000/busybox:1.23.2

# docker login registry.redhat.io
→ Enter your Red Hat account
# docker pull registry.redhat.io/ubi8/ubi
# docker tag registry.redhat.io/ubi8/ubi localhost:5000/ubi
# docker push localhost:5000/ubi
# docker rmi registry.redhat.io/ubi8/ubi localhost:5000/ubi

(Verification)
ubuntu@ip-172-26-2-169:~$ curl localhost:5000/v2/_catalog
{"repositories":["busybox","centos","ubuntu"]}
ubuntu@ip-172-26-2-169:~$ curl -s http://localhost:5000/v2/busybox/tags/list
{"name":"busybox","tags":["1.23.2"]}

Trivy installation and scripting

    1. Install trivy. https://github.com/aquasecurity/trivy#debianubuntu
# sudo apt-get install wget apt-transport-https gnupg lsb-release
# wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
# echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
# sudo apt-get update
# sudo apt-get install trivy
    1. Create a directory for creating reports and move it.
# mkdir trivy-reports
# cd trivy-reports
    1. Create the following python file.

make-trivy-reports.py


import urllib.request
import json
import os

protocol = "http"
registry = "localhost:5000"

req = urllib.request.Request(protocol + "://" + registry + "/v2/_catalog")
with urllib.request.urlopen(req) as res:
  repos = json.loads(res.read())
  for repo in repos["repositories"]:
    req2 = urllib.request.Request(protocol + "://" + registry + "/v2/" + repo + "/tags/list")
    with urllib.request.urlopen(req2) as res2:
      tags = json.loads(res2.read())
      for tag in tags["tags"]:
        os.system("trivy " + registry + "/" + repo + ":" + tag + " > " + repo + ":" + tag + ".txt")

Report generation

    1. Generate a report. There is no need to delete the local image (docker rmi) after scanning, so there is no need to worry about deleting the deletion process. Creating a report will take some time to download the first time you don't have a CVE DB locally. It is quite early after the second time.
# python3 make-trivy-reports.py
    1. Check the report. For the image generated by the report, the file name of "Image: Tag.txt" is generated in the directory where the program is executed.
(Check file)
root@ip-172-26-3-209:~/trivy-reports# ls -la
total 208
drwxr-xr-x 2 root root   4096 Jan  3 11:56 .
drwx------ 8 root root   4096 Jan  3 11:57 ..
-rw-r--r-- 1 root root    241 Jan  3 11:56 busybox:1.23.2.txt
-rw-r--r-- 1 root root 105029 Jan  3 11:56 centos:latest.txt
-rw-r--r-- 1 root root    587 Jan  3 11:54 make-trivy-reports.py
-rw-r--r-- 1 root root  70157 Jan  3 11:56 ubi:latest.txt
-rw-r--r-- 1 root root  15444 Jan  3 11:56 ubuntu:latest.txt

I thought that busybox could scan, but when I looked at the contents, there was only a report that it was impossible.

root@ip-172-26-3-209:~/trivy-reports# cat busybox\:1.23.2.txt
2021-01-03T11:56:38.789Z        WARN    OS is not detected and vulnerabilities in OS packages are not detected.
2021-01-03T11:56:38.789Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected

Is it better than tern that ubi (8) can scan?

ubi:latest.txt


2021-01-03T11:56:38.882Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2021-01-03T11:56:38.900Z        INFO    Detecting RHEL/CentOS vulnerabilities...
2021-01-03T11:56:38.903Z        INFO    Trivy skips scanning programming language libraries because no supported file was detected

localhost:5000/ubi:latest (redhat 8.3)
======================================
Total: 111 (UNKNOWN: 0, LOW: 43, MEDIUM: 67, HIGH: 1, CRITICAL: 0)

+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
|        LIBRARY         | VULNERABILITY ID | SEVERITY | INSTALLED VERSION  | FIXED VERSION |                  TITLE                  |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| bash                   | CVE-2019-18276   | LOW      | 4.4.19-12.el8      |               | bash: when effective UID is not         |
|                        |                  |          |                    |               | equal to its real UID the...            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-18276   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| brotli                 | CVE-2020-8927    | MEDIUM   | 1.0.6-2.el8        |               | brotli: buffer overflow when            |
|                        |                  |          |                    |               | input chunk is larger than 2GiB         |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8927    |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| bzip2-libs             | CVE-2019-12900   | LOW      | 1.0.6-26.el8       |               | bzip2: out-of-bounds write              |
|                        |                  |          |                    |               | in function BZ2_decompress              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-12900   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| coreutils-single       | CVE-2017-18018   | MEDIUM   | 8.30-8.el8         |               | coreutils: race condition               |
|                        |                  |          |                    |               | vulnerability in chown and chgrp        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2017-18018   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| curl                   | CVE-2020-8284    |          | 7.61.1-14.el8_3.1  |               | curl: dangerous nature                  |
|                        |                  |          |                    |               | of PASV command could                   |
|                        |                  |          |                    |               | be used to make curl...                 |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8284    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-8285    |          |                    |               | curl: malicious FTP server can          |
|                        |                  |          |                    |               | trigger stack overflow when             |
|                        |                  |          |                    |               | CURLOPT_CHUNK_BGN_FUNCTION              |
|                        |                  |          |                    |               | is used...                              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8285    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-8286    |          |                    |               | curl: inferior OCSP verification        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8286    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2020-8231    | LOW      |                    |               | curl: Expired pointer                   |
|                        |                  |          |                    |               | dereference via multi API with          |
|                        |                  |          |                    |               | `CURLOPT_CONNECT_ONLY` option set       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8231    |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| file-libs              | CVE-2019-18218   | MEDIUM   | 5.33-16.el8        |               | file: heap-based buffer overflow        |
|                        |                  |          |                    |               | in cdf_read_property_info in cdf.c      |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-18218   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-8905    | LOW      |                    |               | file: stack-based buffer over-read      |
|                        |                  |          |                    |               | in do_core_note in readelf.c            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-8905    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-8906    |          |                    |               | file: out-of-bounds read in             |
|                        |                  |          |                    |               | do_core_note in readelf.c               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-8906    |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| glib2                  | CVE-2019-9633    | MEDIUM   | 2.56.4-8.el8       |               | glib:                                   |
|                        |                  |          |                    |               | g_socket_client_connected_callback      |
|                        |                  |          |                    |               | in gio/gsocketclient.c allows           |
|                        |                  |          |                    |               | to cause denial of service              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9633    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2018-16428   | LOW      |                    |               | glib2: NULL pointer dereference in      |
|                        |                  |          |                    |               | g_markup_parse_context_end_parse()      |
|                        |                  |          |                    |               | function in gmarkup.c                   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-16428   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2018-16429   |          |                    |               | glib2: Out-of-bounds read in            |
|                        |                  |          |                    |               | g_markup_parse_context_parse()          |
|                        |                  |          |                    |               | in gmarkup.c                            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-16429   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-13012   |          |                    |               | glib2: insecure permissions             |
|                        |                  |          |                    |               | for files and directories               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-13012   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| glibc                  | CVE-2019-1010022 | MEDIUM   | 2.28-127.el8       |               | glibc: stack guard protection bypass    |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-9169    |          |                    |               | glibc: regular-expression               |
|                        |                  |          |                    |               | match via proceed_next_node             |
|                        |                  |          |                    |               | in posix/regexec.c leads to             |
|                        |                  |          |                    |               | heap-based buffer over-read...          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9169    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-1010023 | LOW      |                    |               | glibc: running ldd on malicious ELF     |
|                        |                  |          |                    |               | leads to code execution because of...   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-27618   |          |                    |               | glibc: iconv when processing            |
|                        |                  |          |                    |               | invalid multi-byte input                |
|                        |                  |          |                    |               | sequences fails to advance the...       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+------------------------+------------------+----------+                    +---------------+-----------------------------------------+
| glibc-common           | CVE-2019-1010022 | MEDIUM   |                    |               | glibc: stack guard protection bypass    |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-9169    |          |                    |               | glibc: regular-expression               |
|                        |                  |          |                    |               | match via proceed_next_node             |
|                        |                  |          |                    |               | in posix/regexec.c leads to             |
|                        |                  |          |                    |               | heap-based buffer over-read...          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9169    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-1010023 | LOW      |                    |               | glibc: running ldd on malicious ELF     |
|                        |                  |          |                    |               | leads to code execution because of...   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-27618   |          |                    |               | glibc: iconv when processing            |
|                        |                  |          |                    |               | invalid multi-byte input                |
|                        |                  |          |                    |               | sequences fails to advance the...       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+------------------------+------------------+----------+                    +---------------+-----------------------------------------+
| glibc-minimal-langpack | CVE-2019-1010022 | MEDIUM   |                    |               | glibc: stack guard protection bypass    |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-1010022 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-9169    |          |                    |               | glibc: regular-expression               |
|                        |                  |          |                    |               | match via proceed_next_node             |
|                        |                  |          |                    |               | in posix/regexec.c leads to             |
|                        |                  |          |                    |               | heap-based buffer over-read...          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9169    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-1010023 | LOW      |                    |               | glibc: running ldd on malicious ELF     |
|                        |                  |          |                    |               | leads to code execution because of...   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-1010023 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-27618   |          |                    |               | glibc: iconv when processing            |
|                        |                  |          |                    |               | invalid multi-byte input                |
|                        |                  |          |                    |               | sequences fails to advance the...       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-27618   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| gnupg2                 | CVE-2018-1000858 | MEDIUM   | 2.2.20-2.el8       |               | gnupg2: Cross site request              |
|                        |                  |          |                    |               | forgery in dirmngr resulting            |
|                        |                  |          |                    |               | in an information disclosure...         |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-1000858 |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| json-c                 | CVE-2020-12762   |          | 0.13.1-0.2.el8     |               | json-c: integer overflow                |
|                        |                  |          |                    |               | and out-of-bounds write                 |
|                        |                  |          |                    |               | via a large JSON file                   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-12762   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| krb5-libs              | CVE-2020-28196   |          | 1.18.2-5.el8       |               | krb5: unbounded recursion via an        |
|                        |                  |          |                    |               | ASN.1-encoded Kerberos message          |
|                        |                  |          |                    |               | in lib/krb5/asn.1/asn1_encode.c         |
|                        |                  |          |                    |               | may lead...                             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-28196   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| libarchive             | CVE-2017-14502   |          | 3.3.2-9.el8        |               | libarchive: Off-by-one error            |
|                        |                  |          |                    |               | in the read_header function             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2017-14502   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-21674   |          |                    |               | libarchive: heap-based                  |
|                        |                  |          |                    |               | buffer overflow in                      |
|                        |                  |          |                    |               | archive_string_append_from_wcs          |
|                        |                  |          |                    |               | function in archive_string.c            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-21674   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2017-14166   | LOW      |                    |               | libarchive: Heap-based buffer           |
|                        |                  |          |                    |               | over-read in the atol8 function         |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2017-14166   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2017-14501   |          |                    |               | libarchive: Out-of-bounds               |
|                        |                  |          |                    |               | read in parse_file_info                 |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2017-14501   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2018-1000879 |          |                    |               | libarchive: NULL pointer dereference in |
|                        |                  |          |                    |               | ACL parser resulting in a denial of...  |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-1000879 |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2018-1000880 |          |                    |               | libarchive: Improper input              |
|                        |                  |          |                    |               | validation in WARC parser               |
|                        |                  |          |                    |               | resulting in a denial of...             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-1000880 |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libcom_err             | CVE-2019-5188    | MEDIUM   | 1.45.6-1.el8       |               | e2fsprogs: Out-of-bounds                |
|                        |                  |          |                    |               | write in e2fsck/rehash.c                |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-5188    |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| libcurl                | CVE-2020-8284    |          | 7.61.1-14.el8_3.1  |               | curl: dangerous nature                  |
|                        |                  |          |                    |               | of PASV command could                   |
|                        |                  |          |                    |               | be used to make curl...                 |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8284    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-8285    |          |                    |               | curl: malicious FTP server can          |
|                        |                  |          |                    |               | trigger stack overflow when             |
|                        |                  |          |                    |               | CURLOPT_CHUNK_BGN_FUNCTION              |
|                        |                  |          |                    |               | is used...                              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8285    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-8286    |          |                    |               | curl: inferior OCSP verification        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8286    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2020-8231    | LOW      |                    |               | curl: Expired pointer                   |
|                        |                  |          |                    |               | dereference via multi API with          |
|                        |                  |          |                    |               | `CURLOPT_CONNECT_ONLY` option set       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-8231    |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| libdb                  | CVE-2019-2708    |          | 5.3.28-39.el8      |               | libdb: data store execution             |
|                        |                  |          |                    |               | leads to partial DoS                    |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-2708    |
+------------------------+                  +          +                    +---------------+                                         +
| libdb-utils            |                  |          |                    |               |                                         |
|                        |                  |          |                    |               |                                         |
|                        |                  |          |                    |               |                                         |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libgcc                 | CVE-2018-20673   | MEDIUM   | 8.3.1-5.1.el8      |               | libiberty: Integer overflow in          |
|                        |                  |          |                    |               | demangle_template() function            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20673   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2018-20657   | LOW      |                    |               | libiberty: Memory leak in               |
|                        |                  |          |                    |               | demangle_template function              |
|                        |                  |          |                    |               | resulting in a denial of service...     |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20657   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-14250   |          |                    |               | binutils: integer overflow in           |
|                        |                  |          |                    |               | simple-object-elf.c leads to            |
|                        |                  |          |                    |               | a heap-based buffer overflow            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-14250   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libgcrypt              | CVE-2019-12904   | MEDIUM   | 1.8.5-4.el8        |               | Libgcrypt: physical addresses           |
|                        |                  |          |                    |               | being available to other processes      |
|                        |                  |          |                    |               | leads to a flush-and-reload...          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-12904   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| libidn2                | CVE-2019-18224   |          | 2.2.0-1.el8        |               | libidn2: heap-based buffer overflow     |
|                        |                  |          |                    |               | in idn2_to_ascii_4i in lib/lookup.c     |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-18224   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libssh                 | CVE-2020-16135   | LOW      | 0.9.4-2.el8        |               | libssh: NULL pointer                    |
|                        |                  |          |                    |               | dereference in sftpserver.c             |
|                        |                  |          |                    |               | if ssh_buffer_new returns NULL          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-16135   |
+------------------------+                  +          +                    +---------------+                                         +
| libssh-config          |                  |          |                    |               |                                         |
|                        |                  |          |                    |               |                                         |
|                        |                  |          |                    |               |                                         |
|                        |                  |          |                    |               |                                         |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libstdc++              | CVE-2018-20673   | MEDIUM   | 8.3.1-5.1.el8      |               | libiberty: Integer overflow in          |
|                        |                  |          |                    |               | demangle_template() function            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20673   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2018-20657   | LOW      |                    |               | libiberty: Memory leak in               |
|                        |                  |          |                    |               | demangle_template function              |
|                        |                  |          |                    |               | resulting in a denial of service...     |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20657   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-14250   |          |                    |               | binutils: integer overflow in           |
|                        |                  |          |                    |               | simple-object-elf.c leads to            |
|                        |                  |          |                    |               | a heap-based buffer overflow            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-14250   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| libtasn1               | CVE-2018-1000654 |          | 4.13-3.el8         |               | libtasn1: Infinite loop in              |
|                        |                  |          |                    |               | _asn1_expand_object_id(ptree)           |
|                        |                  |          |                    |               | leads to memory exhaustion              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-1000654 |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| libxml2                | CVE-2020-24977   | MEDIUM   | 2.9.7-8.el8        |               | libxml2: Buffer Overflow                |
|                        |                  |          |                    |               | vulnerability in                        |
|                        |                  |          |                    |               | xmlEncodeEntitiesInternal               |
|                        |                  |          |                    |               | at libxml2/entities.c                   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-24977   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| lua-libs               | CVE-2020-15945   |          | 5.3.4-11.el8       |               | lua: segmentation fault                 |
|                        |                  |          |                    |               | in changedline in ldebug.c              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-15945   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2020-24370   | LOW      |                    |               | lua: segmentation fault in getlocal     |
|                        |                  |          |                    |               | and setlocal functions in ldebug.c      |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-24370   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| lz4-libs               | CVE-2019-17543   | MEDIUM   | 1.8.3-2.el8        |               | lz4: heap-based buffer                  |
|                        |                  |          |                    |               | overflow in LZ4_write32                 |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-17543   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| ncurses-base           | CVE-2019-17594   |          | 6.1-7.20180224.el8 |               | ncurses: heap-based buffer              |
|                        |                  |          |                    |               | overflow in the _nc_find_entry          |
|                        |                  |          |                    |               | function in tinfo/comp_hash.c           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-17594   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-17595   |          |                    |               | ncurses: heap-based buffer              |
|                        |                  |          |                    |               | overflow in the fmt_entry               |
|                        |                  |          |                    |               | function in tinfo/comp_hash.c           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-17595   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2018-19211   | LOW      |                    |               | ncurses: Null pointer                   |
|                        |                  |          |                    |               | dereference at function                 |
|                        |                  |          |                    |               | _nc_parse_entry in parse_entry.c        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-19211   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2018-19217   |          |                    |               | ncurses: Null pointer dereference       |
|                        |                  |          |                    |               | at function _nc_name_match              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-19217   |
+------------------------+------------------+----------+                    +---------------+-----------------------------------------+
| ncurses-libs           | CVE-2019-17594   | MEDIUM   |                    |               | ncurses: heap-based buffer              |
|                        |                  |          |                    |               | overflow in the _nc_find_entry          |
|                        |                  |          |                    |               | function in tinfo/comp_hash.c           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-17594   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-17595   |          |                    |               | ncurses: heap-based buffer              |
|                        |                  |          |                    |               | overflow in the fmt_entry               |
|                        |                  |          |                    |               | function in tinfo/comp_hash.c           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-17595   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2018-19211   | LOW      |                    |               | ncurses: Null pointer                   |
|                        |                  |          |                    |               | dereference at function                 |
|                        |                  |          |                    |               | _nc_parse_entry in parse_entry.c        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-19211   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2018-19217   |          |                    |               | ncurses: Null pointer dereference       |
|                        |                  |          |                    |               | at function _nc_name_match              |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-19217   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| openldap               | CVE-2019-13057   | MEDIUM   | 2.4.46-15.el8      |               | openldap: Information disclosure        |
|                        |                  |          |                    |               | issue in slapd component                |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-13057   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-12243   |          |                    |               | openldap: denial of service             |
|                        |                  |          |                    |               | via nested boolean expressions          |
|                        |                  |          |                    |               | in LDAP search filters...               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-12243   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| p11-kit                | CVE-2020-29361   |          | 0.23.14-5.el8_0    |               | p11-kit: integer overflow when          |
|                        |                  |          |                    |               | allocating memory for arrays            |
|                        |                  |          |                    |               | or attributes and object...             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-29361   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-29362   |          |                    |               | p11-kit: out-of-bounds read in          |
|                        |                  |          |                    |               | p11_rpc_buffer_get_byte_array           |
|                        |                  |          |                    |               | function in rpc-message.c               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-29362   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-29363   |          |                    |               | p11-kit: out-of-bounds write in         |
|                        |                  |          |                    |               | p11_rpc_buffer_get_byte_array_value     |
|                        |                  |          |                    |               | function in rpc-message.c               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-29363   |
+------------------------+------------------+          +                    +---------------+-----------------------------------------+
| p11-kit-trust          | CVE-2020-29361   |          |                    |               | p11-kit: integer overflow when          |
|                        |                  |          |                    |               | allocating memory for arrays            |
|                        |                  |          |                    |               | or attributes and object...             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-29361   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-29362   |          |                    |               | p11-kit: out-of-bounds read in          |
|                        |                  |          |                    |               | p11_rpc_buffer_get_byte_array           |
|                        |                  |          |                    |               | function in rpc-message.c               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-29362   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-29363   |          |                    |               | p11-kit: out-of-bounds write in         |
|                        |                  |          |                    |               | p11_rpc_buffer_get_byte_array_value     |
|                        |                  |          |                    |               | function in rpc-message.c               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-29363   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| pcre                   | CVE-2019-20838   | LOW      | 8.42-4.el8         |               | pcre: buffer over-read in               |
|                        |                  |          |                    |               | JIT when UTF is disabled                |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-20838   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-14155   |          |                    |               | pcre: integer overflow in libpcre       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-14155   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| platform-python        | CVE-2019-18348   | MEDIUM   | 3.6.8-31.el8       |               | python: CRLF injection via the          |
|                        |                  |          |                    |               | host part of the url passed to...       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-18348   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-26116   |          |                    |               | python: CRLF injection via HTTP         |
|                        |                  |          |                    |               | request method in httplib/http.client   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-26116   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-27619   |          |                    |               | python: Python 3 eval of http           |
|                        |                  |          |                    |               | resources during test suite runs        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-27619   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-9674    | LOW      |                    |               | python: Nested zip file (Zip bomb)      |
|                        |                  |          |                    |               | vulnerability in Lib/zipfile.py         |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9674    |
+------------------------+------------------+----------+                    +---------------+-----------------------------------------+
| python3-libs           | CVE-2019-18348   | MEDIUM   |                    |               | python: CRLF injection via the          |
|                        |                  |          |                    |               | host part of the url passed to...       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-18348   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-26116   |          |                    |               | python: CRLF injection via HTTP         |
|                        |                  |          |                    |               | request method in httplib/http.client   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-26116   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-27619   |          |                    |               | python: Python 3 eval of http           |
|                        |                  |          |                    |               | resources during test suite runs        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-27619   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-9674    | LOW      |                    |               | python: Nested zip file (Zip bomb)      |
|                        |                  |          |                    |               | vulnerability in Lib/zipfile.py         |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9674    |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| python3-libxml2        | CVE-2020-24977   | MEDIUM   | 2.9.7-8.el8        |               | libxml2: Buffer Overflow                |
|                        |                  |          |                    |               | vulnerability in                        |
|                        |                  |          |                    |               | xmlEncodeEntitiesInternal               |
|                        |                  |          |                    |               | at libxml2/entities.c                   |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-24977   |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| python3-pip-wheel      | CVE-2020-14422   |          | 9.0.3-18.el8       |               | python: DoS via inefficiency            |
|                        |                  |          |                    |               | in IPv{4,6}Interface classes            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-14422   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2018-20225   | LOW      |                    |               | python-pip: when --extra-index-url      |
|                        |                  |          |                    |               | option is used and package              |
|                        |                  |          |                    |               | does not already exist...               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20225   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| sqlite-libs            | CVE-2019-5827    | HIGH     | 3.26.0-11.el8      |               | chromium-browser:                       |
|                        |                  |          |                    |               | out-of-bounds access in SQLite          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-5827    |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-13750   | MEDIUM   |                    |               | sqlite: dropping of shadow tables       |
|                        |                  |          |                    |               | not restricted in defensive mode        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-13750   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-13751   |          |                    |               | sqlite: fts3: improve                   |
|                        |                  |          |                    |               | detection of corrupted records          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-13751   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-19242   |          |                    |               | sqlite: SQL injection in                |
|                        |                  |          |                    |               | sqlite3ExprCodeTarget in expr.c         |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-19242   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-19603   |          |                    |               | sqlite: mishandles certain SELECT       |
|                        |                  |          |                    |               | statements with a nonexistent           |
|                        |                  |          |                    |               | VIEW, leading to DoS...                 |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-19603   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-19645   |          |                    |               | sqlite: infinite recursion via          |
|                        |                  |          |                    |               | certain types of self-referential       |
|                        |                  |          |                    |               | views in conjunction with...            |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-19645   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-19880   |          |                    |               | sqlite: invalid pointer dereference     |
|                        |                  |          |                    |               | in exprListAppendList in window.c       |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-19880   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-13434   |          |                    |               | sqlite: integer overflow                |
|                        |                  |          |                    |               | in sqlite3_str_vappendf                 |
|                        |                  |          |                    |               | function in printf.c                    |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-13434   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-13435   |          |                    |               | sqlite: NULL pointer dereference        |
|                        |                  |          |                    |               | leads to segmentation fault in          |
|                        |                  |          |                    |               | sqlite3ExprCodeTarget in expr.c...      |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-13435   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-15358   |          |                    |               | sqlite: heap-based buffer overflow in   |
|                        |                  |          |                    |               | multiSelectOrderBy due to mishandling   |
|                        |                  |          |                    |               | of query-flattener optimization...      |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-15358   |
+                        +------------------+----------+                    +---------------+-----------------------------------------+
|                        | CVE-2019-19244   | LOW      |                    |               | sqlite: allows a crash                  |
|                        |                  |          |                    |               | if a sub-select uses both               |
|                        |                  |          |                    |               | DISTINCT and window...                  |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-19244   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-9936    |          |                    |               | sqlite: heap-based buffer               |
|                        |                  |          |                    |               | over-read in function                   |
|                        |                  |          |                    |               | fts5HashEntrySort in sqlite3.c          |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9936    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-9937    |          |                    |               | sqlite: null-pointer                    |
|                        |                  |          |                    |               | dereference in function                 |
|                        |                  |          |                    |               | fts5ChunkIterate in sqlite3.c           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9937    |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| systemd                | CVE-2018-20839   | MEDIUM   | 239-41.el8_3.1     |               | systemd: mishandling of the             |
|                        |                  |          |                    |               | current keyboard mode check             |
|                        |                  |          |                    |               | leading to passwords being...           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20839   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-3842    |          |                    |               | systemd: Spoofing of XDG_SEAT           |
|                        |                  |          |                    |               | allows for actions to be checked        |
|                        |                  |          |                    |               | against "allow_active"...               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-3842    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-13776   |          |                    |               | systemd: mishandles numerical           |
|                        |                  |          |                    |               | usernames beginning with decimal        |
|                        |                  |          |                    |               | digits or 0x followed by...             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-13776   |
+------------------------+------------------+          +                    +---------------+-----------------------------------------+
| systemd-libs           | CVE-2018-20839   |          |                    |               | systemd: mishandling of the             |
|                        |                  |          |                    |               | current keyboard mode check             |
|                        |                  |          |                    |               | leading to passwords being...           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20839   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-3842    |          |                    |               | systemd: Spoofing of XDG_SEAT           |
|                        |                  |          |                    |               | allows for actions to be checked        |
|                        |                  |          |                    |               | against "allow_active"...               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-3842    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-13776   |          |                    |               | systemd: mishandles numerical           |
|                        |                  |          |                    |               | usernames beginning with decimal        |
|                        |                  |          |                    |               | digits or 0x followed by...             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-13776   |
+------------------------+------------------+          +                    +---------------+-----------------------------------------+
| systemd-pam            | CVE-2018-20839   |          |                    |               | systemd: mishandling of the             |
|                        |                  |          |                    |               | current keyboard mode check             |
|                        |                  |          |                    |               | leading to passwords being...           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20839   |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2019-3842    |          |                    |               | systemd: Spoofing of XDG_SEAT           |
|                        |                  |          |                    |               | allows for actions to be checked        |
|                        |                  |          |                    |               | against "allow_active"...               |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-3842    |
+                        +------------------+          +                    +---------------+-----------------------------------------+
|                        | CVE-2020-13776   |          |                    |               | systemd: mishandles numerical           |
|                        |                  |          |                    |               | usernames beginning with decimal        |
|                        |                  |          |                    |               | digits or 0x followed by...             |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2020-13776   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+
| tar                    | CVE-2019-9923    | LOW      | 2:1.30-5.el8       |               | tar: null-pointer dereference           |
|                        |                  |          |                    |               | in pax_decode_header in sparse.c        |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2019-9923    |
+------------------------+------------------+          +--------------------+---------------+-----------------------------------------+
| vim-minimal            | CVE-2018-20786   |          | 2:8.0.1763-15.el8  |               | libvterm: NULL pointer dereference      |
|                        |                  |          |                    |               | in vterm_screen_set_callbacks           |
|                        |                  |          |                    |               | -->avd.aquasec.com/nvd/cve-2018-20786   |
+------------------------+------------------+----------+--------------------+---------------+-----------------------------------------+

Oh, it's pretty vulnerable. ..

Recommended Posts

Check all container image vulnerabilities in private registries with trivy
Check all container image licenses in private registry with tern
[Docker] Start container, start bash in container, delete image