CVE-2024-30045 detection #6712
Closed
bbayszczak
started this conversation in
False Detection
Replies: 1 comment 2 replies
-
Hello @bbayszczak This problem is related with GitHub advisory database.
I created github/advisory-database#4440. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
IDs
CVE-2024-30045
Description
Hello !
It looks like trivy is not identifying the CVE-2024-30045 vulnerability.
This vulnerability has been patched in .NET Core
8.0.5
Here is a scan of the aspnet image
8.0.4
(with the vulnerability)CVE-2024-30045 is not seen.
We can see running the
trivy
command with-f json
that it's using the Github Advisory DB as a source.And we can find the vulnerability in the Github Advisory DB
https://github.com/advisories?query=type%3Areviewed+ecosystem%3Anuget+CVE-2024-30045
If we go into the scanned image
mcr.microsoft.com/dotnet/aspnet:8.0.4
, we can find the reference to the vulnerable libraryMicrosoft.NetCore.App.Runtime.linux-arm64
in a dependency file (found in the Github Advisory DB).Desired Behavior
CVE-2024-30045 should be displayed by trivy
My thoughts
As you can see in the snippet above, I used
grep -i
to make thegrep
case insensitive.In the Github Vuln DB, the library is
Microsoft.NetCore.App.Runtime.linux-arm64
but in the dependency file, the library is referenced asMicrosoft.NETCore.App.Runtime.linux-arm64
:NetCore
=>NETCore
If trivy is case sensitive when matching the library name, it could explain this issue.
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Target OS
No response
Debug Output
Version
> trivy --version Version: 0.51.1 Vulnerability DB: Version: 2 UpdatedAt: 2024-05-16 12:12:59.433256097 +0000 UTC NextUpdate: 2024-05-16 18:12:59.433255856 +0000 UTC DownloadedAt: 2024-05-16 12:47:59.271909 +0000 UTC Check Bundle: Digest: sha256:1df8ade71efc830877ca3b1130f83e0c6368e3a45b0d4c0f0418955501644054 DownloadedAt: 2024-05-16 08:11:21.028552 +0000 UTC
Checklist
-f json
that shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions