.NET SDK images have (false positive) .NET CVEs #5325

richlander · 2024-04-02T19:11:31Z

This should never happen. The scanners are reporting false positives (in part) due to stale dependencies.

This has been reported multiple times. I'm starting a new tracking issue. There are lots of scanners. I'm using Docker Scout because it is easy for me to use. Nice product!

.NET SDK 8.0.203 image:

There are a mixture of .NET SDK, PowerShell (due to .NET dependencies), and Debian CVEs.

.NET SDK 8.0.300-preview.24201.7 (from https://github.com/dotnet/installer?tab=readme-ov-file#table):

A number of the (false positive) .NET CVEs are resolved in 8.0.300, which should be released in May.

Outstanding issues:

CVE-2023-29331
- System.Security.Cryptography.Pkcs 7.0.0
- /usr/share/dotnet/sdk/8.0.300-preview.24201.7/DotnetTools/dotnet-watch/8.0.300-preview.24201.10/tools/net8.0/any/BuildHost-netcore/Microsoft.CodeAnalysis.Workspaces.MSBuild.BuildHost.deps.json
CVE-2024-0057
- NuGet.Packaging 6.7.0.127
- /usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/dependencies/NuGet.Packaging.dll
- /usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json
CVE-2024-0056
- System.Data.SqlClient 4.8.5
- /usr/share/powershell/.store/powershell.linux.x64/7.4.1/powershell.linux.x64/7.4.1/tools/net8.0/any/Modules/PSReadLine/_manifest/spdx_2.2/manifest.spdx.json

The remaining Debian issues are low severity and have a mix of fix available and not at the time of writing:

The CVE with a fix available should be resolved the next time we rebuild our Debian images.

The text was updated successfully, but these errors were encountered:

lbussell · 2024-04-04T16:46:23Z

Related: dotnet/sdk#30659

mrhussaini · 2024-04-30T18:00:51Z

Any tentative date when these images will be available to download that has no vulnerabilities?

richlander · 2024-04-30T18:22:23Z

The May images should have a marked improvement.

mrhussaini · 2024-05-01T13:16:29Z

Sorry not sure If I understand. IF you do not know the tentative date, can you able to confirm this is will be available to download in beginning or mid or end of the May month?

richlander · 2024-05-01T15:01:35Z

I know the date. It's always patch Tuesday. We just scanned the May images. It appears that we're down to just one false positive that we'll need to fix in the following month.

Here is the latest fix: dotnet/roslyn#73283.

MichaelSimons · 2024-05-01T16:22:20Z

The 8.0.205 release which will be released on patch Tuesday is down to two false positives. 8.0.300 will which will co-release with VS 17.10 will be down to one.

mrhussaini · 2024-05-01T16:25:10Z

Tuesday - 05/07 ?
Which of the vulnerabilities, false positives that will be remediated in following month (June)?

Michael 8000 Simons · 2024-05-01T16:28:44Z

Tuesday - 05/07 ?

Patch Tuesday is always the second Tuesday of the month. For May, it is the 14th.

Which of the vulnerabilities, false positives that will be remediated in following month (June)?

The last vulnerability that is fixed by dotnet/roslyn#73283 is:

   0C     1H     0M     0L  System.Security.Cryptography.Pkcs 7.0.0
pkg:nuget/System.Security.Cryptography.Pkcs@7.0.0
 
    x HIGH CVE-2023-29331
https://scout.docker.com/v/CVE-2023-29331
      Affected range : >=7.0.0
                     : <=7.0.1
      Fixed version  : 7.0.2
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

mrhussaini · 2024-05-01T16:38:21Z

Thanks for the clarification. One last question please (I hope)
So, all the vulnerabilities are remediated and will be available for us to download by 05/14th ?

MichaelSimons · 2024-05-01T18:06:51Z

So, all the vulnerabilities are remediated and will be available for us to download by 05/14th ?

No. See my earlier response at #5325 (comment)

mrhussaini · 2024-05-02T13:59:05Z

What I understand is with this statement "8.0.300 will which will co-release with VS 17.10 will be down to one."

There will be one false positive vulnerability in 8.0.300 release. Correct? Which will be addressed in June?

MichaelSimons · 2024-05-02T14:59:02Z

There will be one false positive vulnerability in 8.0.300 release. Correct?

Yes

Which will be addressed in June?

That is what we are working towards.

mrhussaini · 2024-05-02T15:02:43Z

Thanks a lot. Once last question please. Which false positive vulnerability that will be remediated in June? CVE name?

MichaelSimons · 2024-05-02T15:05:47Z

Thanks a lot. Once last question please. Which false positive vulnerability that will be remediated in June? CVE name?

Please see my earlier response.

mrhussaini · 2024-05-02T15:13:52Z

look like this one : CVE-2023-29331

richlander · 2024-05-02T15:51:16Z

That is the one Michael mentioned: #5325 (comment)

MichaelSimons · 2024-06-18T18:39:17Z

The last of the CVEs was addressed and both 6.0 and 8.0 images are currently clean of false positives (.NET CVEs).

richlander · 2024-08-10T18:10:28Z

New report at #5753. We are looking into this.

My analysis suggests that this is another false positive. These are difficult for us to prevent with our current infrastructure. We're looking at improving the infrastructure so that we have a more systematic way of preventing false positives (by ensuring all PackageRefs in our graph are updated).

itaysk · 2024-08-26T14:29:00Z

Hello from team Trivy :) Just chiming in to say that Trivy now allows software maintainers (you) to publish vulnerability analysis for your packages (or libraries or images) so that those vulnerabilities will be automatically suppressed for end users. You can see more info here:
https://aquasecurity.github.io/trivy/latest/docs/supply-chain/vex/repo/#publishing-vex-documents
https://github.com/aquasecurity/vexhub

richlander added the bug label Apr 2, 2024

github-project-automation bot added this to .NET Docker Apr 2, 2024

github-project-automation bot moved this to Backlog in .NET Docker Apr 2, 2024

ghost added area-dockerfiles untriaged labels Apr 2, 2024

richlander changed the title ~~.NET SDK images have .NET CVEs~~ .NET SDK images have (false positive) .NET CVEs Apr 2, 2024

richlander mentioned this issue Apr 2, 2024

Resolve dotnet-watch dependency to avoid CVE-2023-29331 scanner false positive dotnet/sdk#39955

Open

ngruelaneo mentioned this issue Apr 3, 2024

fix: add update debian base image in Dockerfile aneoconsulting/ArmoniK.Core#686

Closed

lbussell removed the untriaged label Apr 11, 2024

lbussell moved this from Backlog to Tracking in .NET Docker Apr 11, 2024

richlander mentioned this issue Apr 23, 2024

Need Docker Image for Ubuntu Chiseled + .NET #5388

Closed

richlander mentioned this issue May 24, 2024

Produce a smaller SDK dotnet/sdk#41128

Open

MichaelSimons mentioned this issue Jun 18, 2024

Develop process to validate SDK does not include any vulnerable components dotnet/sdk#41659

Open

MichaelSimons closed this as completed Jun 18, 2024

github-project-automation bot moved this from Tracking to Done in .NET Docker Jun 18, 2024

richlander reopened this Aug 10, 2024

github-project-automation bot moved this from Done to Sprint in .NET Docker Aug 10, 2024

lbussell moved this from Sprint to Tracking in .NET Docker Aug 13, 2024

lbussell mentioned this issue Nov 4, 2024

Security Vulnerability CVE-2024-43485 #6024

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.NET SDK images have (false positive) .NET CVEs #5325

.NET SDK images have (false positive) .NET CVEs #5325

.NET SDK images have (false positive) .NET CVEs #5325

.NET SDK images have (false positive) .NET CVEs #5325

Comments