CVE-2024-30045 detection

[bbayszczak]

IDs

CVE-2024-30045

Description

Hello !

It looks like trivy is not identifying the CVE-2024-30045 vulnerability.
This vulnerability has been patched in .NET Core 8.0.5

Here is a scan of the aspnet image 8.0.4 (with the vulnerability)

> trivy image --scanners vuln --vuln-type library  mcr.microsoft.com/dotnet/aspnet:8.0.4
2024-05-16T15:26:54+02:00	INFO	Vulnerability scanning is enabled
2024-05-16T15:26:54+02:00	INFO	Number of language-specific files	num=2
2024-05-16T15:26:54+02:00	INFO	[dotnet-core] Detecting vulnerabilities...

usr/share/dotnet/shared/Microsoft.AspNetCore.App/8.0.4/Microsoft.AspNetCore.App.deps.json (dotnet-core)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ Microsoft.AspNetCore.App.Runtime.linux-arm64 │ CVE-2024-30046 │ MEDIUM   │ fixed  │ 8.0.4             │ 7.0.19, 8.0.5 │ dotnet: denial of service in ASP.NET Core due to deadlock in │
│                                              │                │          │        │                   │               │ Http2OutputProducer.Stop()...                                │
│                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-30046                   │
└──────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

CVE-2024-30045 is not seen.

We can see running the trivy command with -f json that it's using the Github Advisory DB as a source.

> trivy image --scanners vuln --vuln-type library  mcr.microsoft.com/dotnet/aspnet:8.0.4 -f json
[...]
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory NuGet",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget"
          },
[...]

And we can find the vulnerability in the Github Advisory DB
https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget+CVE-2024-30045

If we go into the scanned image mcr.microsoft.com/dotnet/aspnet:8.0.4, we can find the reference to the vulnerable libraryMicrosoft.NetCore.App.Runtime.linux-arm64 in a dependency file (found in the Github Advisory DB).

> docker run -it mcr.microsoft.com/dotnet/aspnet:8.0.4 /bin/bash
root@8f353e59e5d8:/# grep -i Microsoft.NetCore.App.Runtime.linux-arm64 /usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.4/Microsoft.NETCore.App.deps.json
      "Microsoft.NETCore.App.Runtime.linux-arm64/8.0.4": {
    "Microsoft.NETCore.App.Runtime.linux-arm64/8.0.4": {
      "path": "microsoft.netcore.app.runtime.linux-arm64/8.0.4"

Desired Behavior

CVE-2024-30045 should be displayed by trivy

My thoughts

As you can see in the snippet above, I used grep -i to make the grep case insensitive.
In the Github Vuln DB, the library is Microsoft.NetCore.App.Runtime.linux-arm64 but in the dependency file, the library is referenced as Microsoft.NETCore.App.Runtime.linux-arm64: NetCore => NETCore

If trivy is case sensitive when matching the library name, it could explain this issue.

Reproduction Steps

1. run `trivy image --scanners vuln --vuln-type library  mcr.microsoft.com/dotnet/aspnet:8.0.4`
2. the vulnerability `CVE-2024-30045` is not displayed

See description for further details

Target

Container Image

Scanner

Vulnerability

Target OS

No response

Debug Output

> trivy image --scanners vuln --vuln-type library  mcr.microsoft.com/dotnet/aspnet:8.0.4 --debug
2024-05-16T15:45:01+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-05-16T15:45:01+02:00	DEBUG	Ignore statuses	statuses=[]
2024-05-16T15:45:01+02:00	DEBUG	Cache dir	dir="/Users/bbayszczak/Library/Caches/trivy"
2024-05-16T15:45:01+02:00	DEBUG	DB update was skipped because the local DB is the latest
2024-05-16T15:45:01+02:00	DEBUG	DB info	schema=2 updated_at=2024-05-16T12:12:59.433256097Z next_update=2024-05-16T18:12:59.433255856Z downloaded_at=2024-05-16T12:47:59.271909Z
2024-05-16T15:45:01+02:00	INFO	Vulnerability scanning is enabled
2024-05-16T15:45:01+02:00	DEBUG	Vulnerability type	type=[library]
2024-05-16T15:45:01+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-16T15:45:01+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-05-16T15:45:01+02:00	DEBUG	[image] Detected image ID	image_id="sha256:16e8730bb1cc87a86d61b146e7f283781b95cdf9e0604871fcdaea65b36e37a6"
2024-05-16T15:45:01+02:00	DEBUG	[image] Detected diff ID	diff_ids=[sha256:2bd1a2222589b50b52ff960c3d004829633df61532e7a670a91618cd775f2d47 sha256:6d4fb422474c70603507b6fef95aa32abd9ee5ed231e9a51ead5532e17dd098a sha256:291ea19fe8be91a698a8ca0f40f61071f34fcda0ef12c6ae40ffdb177e3d7425 sha256:c3163f710da30c3e37c029649eea66b1581a6f47fef062f5555f070761a451cd sha256:ff333d531ea02deba799b63830a0f43ed298256cbe7d279d388b6ba30109ef77 sha256:e83a5d4b136cb9333c0db6d14d1b8b811d07b3776b292373c1a79a9ce920b295]
2024-05-16T15:45:01+02:00	DEBUG	[image] Detected base layers	diff_ids=[sha256:2bd1a2222589b50b52ff960c3d004829633df61532e7a670a91618cd775f2d47]
2024-05-16T15:45:01+02:00	INFO	Number of language-specific files	num=2
2024-05-16T15:45:01+02:00	INFO	[dotnet-core] Detecting vulnerabilities...
2024-05-16T15:45:01+02:00	DEBUG	[dotnet-core] Scanning packages from the file	file_path="usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.4/Microsoft.NETCore.App.deps.json"
2024-05-16T15:45:01+02:00	DEBUG	[dotnet-core] Scanning packages from the file	file_path="usr/share/dotnet/shared/Microsoft.AspNetCore.App/8.0.4/Microsoft.AspNetCore.App.deps.json"
2024-05-16T15:45:01+02:00	DEBUG	Found an ignore file	path=".trivyignore"

usr/share/dotnet/shared/Microsoft.AspNetCore.App/8.0.4/Microsoft.AspNetCore.App.deps.json (dotnet-core)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌──────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                   Library                    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ Microsoft.AspNetCore.App.Runtime.linux-arm64 │ CVE-2024-30046 │ MEDIUM   │ fixed  │ 8.0.4             │ 7.0.19, 8.0.5 │ dotnet: denial of service in ASP.NET Core due to deadlock in │
│                                              │                │          │        │                   │               │ Http2OutputProducer.Stop()...                                │
│                                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-30046                   │
└──────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Version

> trivy --version
Version: 0.51.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-16 12:12:59.433256097 +0000 UTC
  NextUpdate: 2024-05-16 18:12:59.433255856 +0000 UTC
  DownloadedAt: 2024-05-16 12:47:59.271909 +0000 UTC
Check Bundle:
  Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054
  DownloadedAt: 2024-05-16 08:11:21.028552 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @bbayszczak
Thanks for your report!

This problem is related with GitHub advisory database.

usr/share/dotnet/shared/Microsoft.NETCore.App/8.0.4/Microsoft.NETCore.App.deps.json contains Microsoft.NETCore.App.Runtime.linux-x64 (NET).
But GitHub uses Microsoft.NetCore.App.Runtime.linux-x64 (Net).
For some packages, the case of the package name is important, so we compare package names without changing case.

I created github/advisory-database#4440.
Once the GH advisories are updated, trivy-db will be updated within 6 hours.

Regards, Dmitriy

[bbayszczak]

Hello @DmitriyLewen !

Thanks for your quick answer 🙂

Do you know if this happens frequently ?
If yes, could it be a good idea to add a case-insensitive mode in trivy ?

Regards

[DmitriyLewen]

I didn't see similar cases before. Let's wait GH answer.

could it be a good idea to add a case-insensitive mode in trivy ?

This is mistake in DB. So i am not sure that this is required.