Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ci): qa:apache-server-scannerci #1750

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix(ci): qa:apache-server-scannerci #1750

wants to merge 1 commit into from

Conversation

dcaravel
Copy link
Contributor

@dcaravel dcaravel commented Dec 19, 2024
edited
Loading

example failure

The vulns listed in the test cases associated with cron and ubuntu:14.04 in image quay.io/rhacs-eng/qa:apache-server-scannerci are no longer found. The test case has been updated to check for vulns from a different package.

The new vulns were chosen at random from the scan results (reviewers please share if there is a reason this particular test case exists and if different vulns should be chosen, of note the new vulns have fixedBy's but the old ones did not)

By inspecting the last 'genesis dump' from CI for one of the vulns in question confirmed it is no longer listed for ubuntu:14.04:

cat os_vulns.json | jq -r '.[] | select(.Name == "CVE-2017-9525") | "\(.Name) \(.Namespace.Name) \(.Namespace.VersionFormat) \(.Link)"' | grep -i ubuntu | sort | column -s " " -t 

CVE-2017-9525  ubuntu:16.04     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:18.04     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:19.10     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:20.04     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:20.10     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:21.04     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:21.10     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:22.04     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:22.10     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:23.04     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:23.10     dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:24.04     dpkg  https://ubuntu.com/security/CVE-2017-9525

Compared to the genesis dump for StackRox 4.6.1, the vuln is indeed listed for ubuntu:14.04:

gsutil cp gs://stackrox-scanner-ci-vuln-dump/genesis-20241024031240.zip .
...
cat os_vulns.json | jq -r '.[] | select(.Name == "CVE-2017-9525") | "\(.Name) \(.Namespace.Name) \(.Namespace.VersionFormat) \(.Link)"' | grep -i ubuntu | sort | column -s " " -t 

CVE-2017-9525  ubuntu:14.04  dpkg  https://ubuntu.com/security/CVE-2017-9525 <-- missing above
CVE-2017-9525  ubuntu:16.04  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:18.04  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:19.10  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:20.04  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:20.10  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:21.04  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:21.10  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:22.04  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:22.10  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:23.04  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:23.10  dpkg  https://ubuntu.com/security/CVE-2017-9525
CVE-2017-9525  ubuntu:24.04  dpkg  https://ubuntu.com/security/CVE-2017-9525

It appears that future new genesis dumps (CI creates a new one every run) will not contain this vuln for ubuntu:14.04.

The Ubuntu page for CVE-2017-9525 shows this:

image

The status of the spot checked vuln was changed on Dec 18th to ignored (thanks for finding that @RTann ) which will cause the vuln to be omitted from Scanners vuln feeds.

@RTann
Copy link
Collaborator

RTann commented Dec 20, 2024

@dcaravel here's the change which triggered this: https://git.launchpad.net/ubuntu-cve-tracker/commit/active/CVE-2017-9525?id=43a92d54e18289468b0c0616c3d847c5fbe35284

This was done yesterday. More end-of-year fun for us

@dcaravel
Copy link
Contributor Author

dcaravel commented Dec 20, 2024
edited
Loading

@dcaravel here's the change which triggered this: https://git.launchpad.net/ubuntu-cve-tracker/commit/active/CVE-2017-9525?id=43a92d54e18289468b0c0616c3d847c5fbe35284

This was done yesterday. More end-of-year fun for us

The vulns being omitted from the genesis dump due to the status change (to ignored) appears to be handled as expected.

Is there something additional that we should do outside of what's in this PR? (for example, if we should still include these vulns, we could adjust the logic to not omit vulns with the 'end of ESM support' note or similar?)

@dcaravel dcaravel requested review from jvdm, BradLugo, daynewlee, RTann and a team December 20, 2024 01:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvdm jvdm Awaiting requested review from jvdm

@BradLugo BradLugo Awaiting requested review from BradLugo

@daynewlee daynewlee Awaiting requested review from daynewlee

@RTann RTann Awaiting requested review from RTann

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dcaravel @RTann