Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(sbom,scan): find openssl CVEs for FIPS provider #1211

Merged
merged 1 commit into from
Sep 26, 2024
Merged

fix(sbom,scan): find openssl CVEs for FIPS provider #1211

merged 1 commit into from
Sep 26, 2024

Conversation

luhring
Copy link
Contributor

@luhring luhring commented Sep 25, 2024

Ensures we find openssl CVEs for the FIPS provider by explicitly setting the package CPE.

Before

$ wolfictl scan -D ./openssl-provider-fips-3.0.9-r1.apk
🔎 Scanning "./openssl-provider-fips-3.0.9-r1.apk"
✅ No vulnerabilities found

After

$ wolfictl scan -D ./openssl-provider-fips-3.0.9-r1.apk
🔎 Scanning "./openssl-provider-fips-3.0.9-r1.apk"
└── 📄 /.PKGINFO
        📦 openssl-provider-fips 3.0.9-r1 (apk)
            Medium CVE-2023-2975
            Medium CVE-2023-3817
            High CVE-2023-4807
            High CVE-2023-5363
            Medium CVE-2023-5678
            Medium CVE-2023-6129
            Unknown CVE-2023-6237
            Medium CVE-2024-0727
            Unknown CVE-2024-2511
            Medium CVE-2024-4603
            Critical CVE-2024-5535
            High CVE-2024-6119

@luhring luhring requested a review from xnox September 25, 2024 23:32
@luhring luhring merged commit 9dfbf1b into wolfi-dev:main Sep 26, 2024
3 checks passed
@luhring luhring deleted the fipsy-openssl branch September 26, 2024 13:48
xnox
xnox reviewed Sep 26, 2024
View reviewed changes
Copy link
Contributor

@xnox xnox left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

$ wolfictl scan -D ./openssl-provider-fips-3.0.9-r1.apk --distro 'chainguard'
🔎 Scanning "./openssl-provider-fips-3.0.9-r1.apk"
└── 📄 /.PKGINFO
        📦 openssl-provider-fips 3.0.9-r1 (apk)
            Unknown CVE-2023-6237
            Medium CVE-2024-4603

Is correct as of today, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xnox xnox xnox left review comments

@priyawadhwa priyawadhwa priyawadhwa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@luhring @xnox @priyawadhwa