Comments (15)
lli-hiya
commented on May 28, 2024
1
@hashmap
You are using clair-git image, which is not a stable release and the API for that is not available yet. Can you please try clair (stable release) image?
For my testing, clair-git indeed gives unique results (but I cannot use the clair API to verify if the result is correct or not), but clair still produces duplicate CVEs.
from klar.
pauvos
commented on May 28, 2024
1
debian:7 yields a lot of duplicates.
I receive a CVE-2010-4052 warning affecting eglibc approx. 10 times in a row.
klar: v2.0.2 (from github release page)
clair: quay.io/coreos/clair:v2.0.2
btw: thanks for sharing klar with the public!
Scan result: debian-7.20180425.txt
from klar.
philenz
commented on May 28, 2024
1
Hi @pauvos
If you output in json format, for example...
CLAIR_ADDR=http://localhost:6060 JSON_OUTPUT=true CLAIR_THRESHOLD=0 /usr/local/bin/klar debian:7 >/tmp/x
You can then use the excellent jq to remove duplicates...
cat /tmp/x | jq '[.Vulnerabilities.High[]]|unique'
cat /tmp/x | jq '[.Vulnerabilities.Medium[]]|unique'
from klar.
hashmap
commented on May 28, 2024
Thanks for the report. Could you give more information, in particular:
- Versions of Klar and Clair
- Output with tracing enabled - add KLAR_TRACE=true
- What layer id do you use in curl request
- Could you reproduce this behaviour on some public images?
Thanks!
from klar.
lli-hiya
commented on May 28, 2024
-
I don't know how to get the version of Klar, I used this command
go get github.com/optiopay/klarto install and use it. For Clair, I am using
this https://github.com/coreos/clair/tree/release-2.0 version. -
I can reproduce this hehaviour on the public
pythonimage. Here is the output ofCLAIR_ADDR=http://192.168.99.100:30060 CLAIR_OUTPUT=High KLAR_TRACE=true klar python
The original output is very long, I deleted some of them for better view.
> ----> HTTP REQUEST:
GET /v2/library/python/manifests/latest HTTP/1.1
Host: registry-1.docker.io
Accept: application/vnd.docker.distribution.manifest.v2+json
<---- HTTP RESPONSE:
HTTP/1.1 401 Unauthorized
Content-Length: 157
Content-Type: application/json; charset=utf-8
Date: Tue, 09 Jan 2018 17:55:38 GMT
Docker-Distribution-Api-Version: registry/2.0
Strict-Transport-Security: max-age=31536000
Www-Authenticate: Bearer realm="https://auth.docker.io/token",service="registry.docker.io",scope="repository:library/python:pull"
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"repository","Class":"","Name":"library/python","Action":"pull"}]}]}
----> HTTP REQUEST:
GET /v2/library/python/manifests/latest HTTP/1.1
Host: registry-1.docker.io
Accept: application/vnd.docker.distribution.manifest.v2+json
Authorization: Bearer <omitted>
<---- HTTP RESPONSE:
HTTP/1.1 200 OK
Content-Length: 2007
Content-Type: application/vnd.docker.distribution.manifest.v2+json
Date: Tue, 09 Jan 2018 17:55:39 GMT
Docker-Content-Digest: sha256:98149ed5f37f48ea3fad26ae6c0042dd2b08228d58edc95ef0fce35f1b3d9e9f
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:98149ed5f37f48ea3fad26ae6c0042dd2b08228d58edc95ef0fce35f1b3d9e9f"
Strict-Transport-Security: max-age=31536000
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 7404,
"digest": "sha256:c1e459c00dc3205dd530a3a688d562dc6d8153beb219c74168823ccb1709b3a7"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 52599697,
"digest": "sha256:f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 19266203,
"digest": "sha256:7b491c575b06601bb07a2d88bfc3ace6c6005edc1b4d8da3ba6e37e04e9592d6"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 43253338,
"digest": "sha256:b313b08bab3b8bbcf0de4171a2a80a01e67fab094f272819b76a58705d21ab28"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 134968174,
"digest": "sha256:51d6678c3f0e0c6e2b58b51ad100912b7c0e4dfedf98a1808417216fd5d948e5"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 3167686,
"digest": "sha256:09f35bd58db288964a8bb8698b5f41bfb05df1758e54c2aad2f3fda3c38b240a"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 19675884,
"digest": "sha256:0f9de702e22255ec7a88c3e41c0a4e51ed00ba2fb91f5e106bcda1358e4a7743"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 240,
"digest": "sha256:73911d37fcde0a506cee3ee29d522eb2805d016902f42a699df136820fec04f9"
},
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 1670405,
"digest": "sha256:99a87e214c92dac634f282d7d27b7d846ae9b8947b98144a29fe528c4098a61d"
}
]
}
Analysing 8 layers
----> HTTP REQUEST:
POST /v1/layers HTTP/1.1
Host: 192.168.99.100:30060
Content-Type: application/json
{"Layer":{"Name":"c1e459c00dc3205dd530a3a688d562dc6d8153beb219c74168823ccb1709b3a7f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa","Path":"https://registry-1.docker.io/v2/library/python/blobs/sha256:f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa","ParentName":"","Format":"Docker","Features":null,"Headers":{"Authorization":"Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE56QTFNREl5TWpBME5UZGFGdzB4T0RBMU1ESXlNakEwTlRkYU1FWXhSREJDQmdOVkJBTVRPMDFPTms0NlJraFVWenBKV0VWSE9rOUpOMUU2UVRWWFJqcFpSRVUwT2pkRE4wNDZSMWRKVVRvMVZ6STNPa2hPTlVvNlZVNURRVG95U0UxQ01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5KRklhQ1hHNWYxSk9BZnZSaTJDU081K1Q5RVpKd2doai9SUXgzNW9Uc3Q4RnhXY0dRc3ZOMG5sdW5DVVdIbENxN2I4NFJRTXV0WUVIUnY4MVhweTU2T0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VFU0MlRqcEdTRlJYT2tsWVJVYzZUMGszVVRwQk5WZEdPbGxFUlRRNk4wTTNUanBIVjBsUk9qVlhNamM2U0U0MVNqcFZUa05CT2pKSVRVSXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBSTJVUlpMQVRTM3R4bjNpNTY0SXVQSFEwQU1Mb1g5cTZCMmdnN01KSHJuTkFpRUE0Q3lzbmtENHhjQm42amdobVdnQzczQjdGVkszenFnOTV4ZjNRK2xGVHlrPSJdfQ.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImxpYnJhcnkvcHl0aG9uIiwiYWN0aW9ucyI6WyJwdWxsIl19XSwiYXVkIjoicmVnaXN0cnkuZG9ja2VyLmlvIiwiZXhwIjoxNTE1NTIwODM4LCJpYXQiOjE1MTU1MjA1MzgsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoid3Rwa1VIbThlNF9tMVdndWE5b1ciLCJuYmYiOjE1MTU1MjAyMzgsInN1YiI6IiJ9.dORtMsO9ziAISa7US0x-LyVrVYDwFLW9JzPXAHughiA5x-Eh8SNRe2aMgXOtW6UqgadVA1LStdcBl9PAbj5bCA"}}}
<---- HTTP RESPONSE:
HTTP/1.1 201 Created
Content-Type: application/json;charset=utf-8
Date: Tue, 09 Jan 2018 17:56:39 GMT
Server: clair
{"Layer":{"Name":"c1e459c00dc3205dd530a3a688d562dc6d8153beb219c74168823ccb1709b3a7f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa","Path":"https://registry-1.docker.io/v2/library/python/blobs/sha256:f49cf87b52c10aa83b4f4405800527a74400fb19ea1821d209293bc4d53966aa","Headers":{"Authorization":"Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlDTHpDQ0FkU2dBd0lCQWdJQkFEQUtCZ2dxaGtqT1BRUURBakJHTVVRd1FnWURWUVFERXp0Uk5Gb3pPa2RYTjBrNldGUlFSRHBJVFRSUk9rOVVWRmc2TmtGRlF6cFNUVE5ET2tGU01rTTZUMFkzTnpwQ1ZrVkJPa2xHUlVrNlExazFTekFlRncweE56QTFNREl5TWpBME5UZGFGdzB4T0RBMU1ESXlNakEwTlRkYU1FWXhSREJDQmdOVkJBTVRPMDFPTms0NlJraFVWenBKV0VWSE9rOUpOMUU2UVRWWFJqcFpSRVUwT2pkRE4wNDZSMWRKVVRvMVZ6STNPa2hPTlVvNlZVNURRVG95U0UxQ01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRU5KRklhQ1hHNWYxSk9BZnZSaTJDU081K1Q5RVpKd2doai9SUXgzNW9Uc3Q4RnhXY0dRc3ZOMG5sdW5DVVdIbENxN2I4NFJRTXV0WUVIUnY4MVhweTU2T0JzakNCcnpBT0JnTlZIUThCQWY4RUJBTUNCNEF3RHdZRFZSMGxCQWd3QmdZRVZSMGxBREJFQmdOVkhRNEVQUVE3VFU0MlRqcEdTRlJYT2tsWVJVYzZUMGszVVRwQk5WZEdPbGxFUlRRNk4wTTNUanBIVjBsUk9qVlhNamM2U0U0MVNqcFZUa05CT2pKSVRVSXdSZ1lEVlIwakJEOHdQWUE3VVRSYU16cEhWemRKT2xoVVVFUTZTRTAwVVRwUFZGUllPalpCUlVNNlVrMHpRenBCVWpKRE9rOUdOemM2UWxaRlFUcEpSa1ZKT2tOWk5Vc3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBSTJVUlpMQVRTM3R4bjNpNTY0SXVQSFEwQU1Mb1g5cTZCMmdnN01KSHJuTkFpRUE0Q3lzbmtENHhjQm42amdobVdnQzczQjdGVkszenFnOTV4ZjNRK2xGVHlrPSJdfQ.eyJhY2Nlc3MiOlt7InR5cGUiOiJyZXBvc2l0b3J5IiwibmFtZSI6ImxpYnJhcnkvcHl0aG9uIiwiYWN0aW9ucyI6WyJwdWxsIl19XSwiYXVkIjoicmVnaXN0cnkuZG9ja2VyLmlvIiwiZXhwIjoxNTE1NTIwODM4LCJpYXQiOjE1MTU1MjA1MzgsImlzcyI6ImF1dGguZG9ja2VyLmlvIiwianRpIjoid3Rwa1VIbThlNF9tMVdndWE5b1ciLCJuYmYiOjE1MTU1MjAyMzgsInN1YiI6IiJ9.dORtMsO9ziAISa7US0x-LyVrVYDwFLW9JzPXAHughiA5x-Eh8SNRe2aMgXOtW6UqgadVA1LStdcBl9PAbj5bCA"},"Format":"Docker","IndexedByVersion":3}}
<Omitted similar stuff>
Got results from Clair API v1
Found 544 vulnerabilities
CVE-2016-2779: [High]
Found in: util-linux
runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
https://security-tracker.debian.org/tracker/CVE-2016-2779
-----------------------------------------
CVE-2016-2779: [High]
Found in: util-linux
runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
https://security-tracker.debian.org/tracker/CVE-2016-2779
-----------------------------------------
CVE-2016-2779: [High]
Found in: util-linux
runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
https://security-tracker.debian.org/tracker/CVE-2016-2779
-----------------------------------------
CVE-2016-2779: [High]
Found in: util-linux
runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
https://security-tracker.debian.org/tracker/CVE-2016-2779
-----------------------------------------
CVE-2016-2779: [High]
Found in: util-linux
runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
https://security-tracker.debian.org/tracker/CVE-2016-2779
-----------------------------------------
CVE-2016-2090: [High]
Found in: libbsd
Off-by-one vulnerability in the fgetwln function in libbsd before 0.8.2 allows attackers to have unspecified impact via unknown vectors, which trigger a heap-based buffer overflow.
https://security-tracker.debian.org/tracker/CVE-2016-2090
-----------------------------------------
CVE-2017-14062: [High]
Found in: libidn
Integer overflow in the decode_digit function in puny_decode.c in Libidn2 before 2.0.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2017-14062
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2016-6711: [High]
Found in: libvpx
A remote denial of service vulnerability in libvpx in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-30593765.
https://security-tracker.debian.org/tracker/CVE-2016-6711
-----------------------------------------
CVE-2017-9462: [High]
Found in: mercurial
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
https://security-tracker.debian.org/tracker/CVE-2017-9462
-----------------------------------------
CVE-2017-9462: [High]
Found in: mercurial
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name.
https://security-tracker.debian.org/tracker/CVE-2017-9462
-----------------------------------------
CVE-2017-12424: [High]
Found in: shadow
In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
https://security-tracker.debian.org/tracker/CVE-2017-12424
-----------------------------------------
CVE-2017-12424: [High]
Found in: shadow
In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
https://security-tracker.debian.org/tracker/CVE-2017-12424
-----------------------------------------
CVE-2017-12424: [High]
Found in: shadow
In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
https://security-tracker.debian.org/tracker/CVE-2017-12424
-----------------------------------------
CVE-2016-7949: [High]
Found in: libxrender
Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXrender before 0.9.10 allow remote X servers to trigger out-of-bounds write operations via vectors involving length fields.
https://security-tracker.debian.org/tracker/CVE-2016-7949
-----------------------------------------
CVE-2016-7949: [High]
Found in: libxrender
Multiple buffer overflows in the (1) XvQueryAdaptors and (2) XvQueryEncodings functions in X.org libXrender before 0.9.10 allow remote X servers to trigger out-of-bounds write operations via vectors involving length fields.
https://security-tracker.debian.org/tracker/CVE-2016-7949
-----------------------------------------
CVE-2015-8947: [High]
Found in: harfbuzz
hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052.
https://security-tracker.debian.org/tracker/CVE-2015-8947
-----------------------------------------
CVE-2017-10989: [High]
Found in: sqlite3
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2017-10989
-----------------------------------------
CVE-2017-10989: [High]
Found in: sqlite3
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2017-10989
-----------------------------------------
CVE-2017-10989: [High]
Found in: sqlite3
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2017-10989
-----------------------------------------
CVE-2017-10989: [High]
Found in: sqlite3
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2017-10989
-----------------------------------------
CVE-2017-10989: [High]
Found in: sqlite3
The getNodeSize function in ext/rtree/rtree.c in SQLite through 3.19.3, as used in GDAL and other products, mishandles undersized RTree blobs in a crafted database, leading to a heap-based buffer over-read or possibly unspecified other impact.
https://security-tracker.debian.org/tracker/CVE-2017-10989
-----------------------------------------
CVE-2017-17484: [High]
Found in: icu
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
https://security-tracker.debian.org/tracker/CVE-2017-17484
-----------------------------------------
CVE-2017-17484: [High]
Found in: icu
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
https://security-tracker.debian.org/tracker/CVE-2017-17484
-----------------------------------------
Unknown: 8
Negligible: 140
Low: 222
Medium: 145
High: 29
-
For Clair layer id, I used the
concatenate(Image_id, last_layer_id), which I also confirmed that Klar uses the same logic from:.Line 107 in 2f565ab
-
Using Clair API:
./curl.sh c1e459c00dc3205dd530a3a688d562dc6d8153beb219c74168823ccb1709b3a7 99a87e214c92dac634f282d7d27b7d846ae9b8947b98144a29fe528c4098a61d | jq '.Layer.Features[] | select(.Vulnerabilities != null) | .Vulnerabilities[].Name' | sort | uniq -c(curl.sh is a simple script wrap the curl command), I get:
1 "CVE-2004-0230"
1 "CVE-2004-0971"
1 "CVE-2005-0406"
1 "CVE-2005-2541"
1 "CVE-2005-3660"
1 "CVE-2007-2243"
1 "CVE-2007-2379"
1 "CVE-2007-2768"
1 "CVE-2007-3476"
1 "CVE-2007-3477"
1 "CVE-2007-3719"
1 "CVE-2007-3996"
1 "CVE-2007-5686"
1 "CVE-2007-6755"
1 "CVE-2008-1687"
1 "CVE-2008-1688"
1 "CVE-2008-2544"
1 "CVE-2008-3134"
1 "CVE-2008-3234"
1 "CVE-2008-4108"
1 "CVE-2008-4609"
1 "CVE-2009-3546"
1 "CVE-2010-0928"
1 "CVE-2010-2596"
1 "CVE-2010-4051"
1 "CVE-2010-4052"
1 "CVE-2010-4563"
1 "CVE-2010-4651"
1 "CVE-2010-4756"
1 "CVE-2010-5321"
1 "CVE-2011-3374"
1 "CVE-2011-3389"
1 "CVE-2011-4116"
1 "CVE-2011-4915"
1 "CVE-2011-4917"
1 "CVE-2012-0039"
1 "CVE-2012-3878"
1 "CVE-2012-4542"
1 "CVE-2012-5613"
1 "CVE-2012-5627"
1 "CVE-2013-0340"
1 "CVE-2013-4235"
1 "CVE-2013-4392"
1 "CVE-2013-7040"
1 "CVE-2013-7445"
1 "CVE-2014-8127"
1 "CVE-2014-8130"
1 "CVE-2014-9717"
1 "CVE-2014-9761"
1 "CVE-2014-9892"
1 "CVE-2014-9900"
1 "CVE-2014-9939"
1 "CVE-2015-1258"
1 "CVE-2015-2877"
1 "CVE-2015-3217"
1 "CVE-2015-3276"
1 "CVE-2015-4001"
1 "CVE-2015-4002"
1 "CVE-2015-4003"
1 "CVE-2015-4004"
1 "CVE-2015-4506"
1 "CVE-2015-5180"
1 "CVE-2015-5186"
1 "CVE-2015-5203"
1 "CVE-2015-5218"
1 "CVE-2015-5221"
1 "CVE-2015-5224"
1 "CVE-2015-5276"
1 "CVE-2015-5352"
1 "CVE-2015-5600"
1 "CVE-2015-6563"
1 "CVE-2015-6564"
1 "CVE-2015-7313"
1 "CVE-2015-7554"
1 "CVE-2015-7837"
1 "CVE-2015-7885"
1 "CVE-2015-8553"
1 "CVE-2015-8839"
1 "CVE-2015-8947"
1 "CVE-2015-8952"
1 "CVE-2015-8967"
1 "CVE-2015-8985"
1 "CVE-2015-9019"
1 "CVE-2016-1000110"
1 "CVE-2016-10009"
1 "CVE-2016-10010"
1 "CVE-2016-10011"
1 "CVE-2016-10012"
1 "CVE-2016-10228"
1 "CVE-2016-10248"
1 "CVE-2016-10268"
1 "CVE-2016-10371"
1 "CVE-2016-1908"
1 "CVE-2016-2090"
1 "CVE-2016-2226"
1 "CVE-2016-2779"
1 "CVE-2016-2781"
1 "CVE-2016-2853"
1 "CVE-2016-2854"
1 "CVE-2016-3115"
1 "CVE-2016-3139"
1 "CVE-2016-3189"
1 "CVE-2016-3616"
1 "CVE-2016-3739"
1 "CVE-2016-3857"
1 "CVE-2016-3881"
1 "CVE-2016-4448"
1 "CVE-2016-4484"
1 "CVE-2016-4487"
1 "CVE-2016-4488"
1 "CVE-2016-4489"
1 "CVE-2016-4490"
1 "CVE-2016-4491"
1 "CVE-2016-4492"
1 "CVE-2016-4493"
1 "CVE-2016-5011"
1 "CVE-2016-6131"
1 "CVE-2016-6163"
1 "CVE-2016-6328"
1 "CVE-2016-6352"
1 "CVE-2016-6515"
1 "CVE-2016-6711"
1 "CVE-2016-6712"
1 "CVE-2016-7098"
1 "CVE-2016-7141"
1 "CVE-2016-7167"
1 "CVE-2016-7949"
1 "CVE-2016-7950"
1 "CVE-2016-8625"
1 "CVE-2016-8678"
1 "CVE-2016-8690"
1 "CVE-2016-8858"
1 "CVE-2016-8883"
1 "CVE-2016-8886"
1 "CVE-2016-8887"
1 "CVE-2016-9085"
1 "CVE-2016-9120"
1 "CVE-2016-9318"
1 "CVE-2016-9387"
1 "CVE-2016-9388"
1 "CVE-2016-9389"
1 "CVE-2016-9390"
1 "CVE-2016-9391"
1 "CVE-2016-9392"
1 "CVE-2016-9393"
1 "CVE-2016-9394"
1 "CVE-2016-9395"
1 "CVE-2016-9396"
1 "CVE-2016-9397"
1 "CVE-2016-9398"
1 "CVE-2016-9399"
1 "CVE-2016-9401"
1 "CVE-2016-9539"
1 "CVE-2016-9557"
1 "CVE-2016-9583"
1 "CVE-2016-9586"
1 "CVE-2016-9600"
1 "CVE-2016-9840"
1 "CVE-2016-9841"
1 "CVE-2016-9842"
1 "CVE-2016-9843"
1 "CVE-2017-0393"
1 "CVE-2017-0641"
1 "CVE-2017-0861"
1 "CVE-2017-1000050"
1 "CVE-2017-1000158"
1 "CVE-2017-1000379"
1 "CVE-2017-1000407"
1 "CVE-2017-1000408"
1 "CVE-2017-1000409"
1 "CVE-2017-1000410"
1 "CVE-2017-1000422"
1 "CVE-2017-1000445"
1 "CVE-2017-1000476"
1 "CVE-2017-10662"
1 "CVE-2017-10663"
1 "CVE-2017-10790"
1 "CVE-2017-10989"
1 "CVE-2017-10995"
1 "CVE-2017-11164"
1 "CVE-2017-11166"
1 "CVE-2017-11335"
1 "CVE-2017-11446"
1 "CVE-2017-11462"
1 "CVE-2017-11472"
1 "CVE-2017-11473"
1 "CVE-2017-11523"
1 "CVE-2017-11531"
1 "CVE-2017-11532"
1 "CVE-2017-11533"
1 "CVE-2017-11534"
1 "CVE-2017-11535"
1 "CVE-2017-11536"
1 "CVE-2017-11537"
1 "CVE-2017-11539"
1 "CVE-2017-11613"
1 "CVE-2017-11639"
1 "CVE-2017-11644"
2 "CVE-2017-11671" <<<<<<<<<<<<<<<<<< Only this one appears twice
1 "CVE-2017-11724"
1 "CVE-2017-11751"
1 "CVE-2017-11752"
1 "CVE-2017-11754"
1 "CVE-2017-11755"
1 "CVE-2017-12132"
1 "CVE-2017-12133"
1 "CVE-2017-12140"
1 "CVE-2017-12418"
1 "CVE-2017-12424"
1 "CVE-2017-12427"
1 "CVE-2017-12428"
1 "CVE-2017-12429"
1 "CVE-2017-12430"
1 "CVE-2017-12432"
1 "CVE-2017-12433"
1 "CVE-2017-12434"
1 "CVE-2017-12435"
1 "CVE-2017-12448"
1 "CVE-2017-12449"
1 "CVE-2017-12450"
1 "CVE-2017-12451"
1 "CVE-2017-12452"
1 "CVE-2017-12453"
1 "CVE-2017-12454"
1 "CVE-2017-12455"
1 "CVE-2017-12456"
1 "CVE-2017-12457"
1 "CVE-2017-12458"
1 "CVE-2017-12459"
1 "CVE-2017-12563"
1 "CVE-2017-12564"
1 "CVE-2017-12565"
1 "CVE-2017-12566"
1 "CVE-2017-12587"
1 "CVE-2017-12596"
1 "CVE-2017-12613"
1 "CVE-2017-12618"
1 "CVE-2017-12641"
1 "CVE-2017-12642"
1 "CVE-2017-12643"
1 "CVE-2017-12644"
1 "CVE-2017-12654"
1 "CVE-2017-12662"
1 "CVE-2017-12663"
1 "CVE-2017-12664"
1 "CVE-2017-12665"
1 "CVE-2017-12667"
1 "CVE-2017-12668"
1 "CVE-2017-12669"
1 "CVE-2017-12670"
1 "CVE-2017-12671"
1 "CVE-2017-12672"
1 "CVE-2017-12673"
1 "CVE-2017-12674"
1 "CVE-2017-12675"
1 "CVE-2017-12676"
1 "CVE-2017-12691"
1 "CVE-2017-12692"
1 "CVE-2017-12693"
1 "CVE-2017-12762"
1 "CVE-2017-12799"
1 "CVE-2017-12875"
1 "CVE-2017-12944"
1 "CVE-2017-12967"
1 "CVE-2017-13058"
1 "CVE-2017-13059"
1 "CVE-2017-13060"
1 "CVE-2017-13062"
1 "CVE-2017-13131"
1 "CVE-2017-13133"
1 "CVE-2017-13141"
1 "CVE-2017-13142"
1 "CVE-2017-13143"
1 "CVE-2017-13145"
1 "CVE-2017-13146"
1 "CVE-2017-13658"
1 "CVE-2017-13685"
1 "CVE-2017-13693"
1 "CVE-2017-13694"
1 "CVE-2017-13695"
1 "CVE-2017-13710"
1 "CVE-2017-13716"
1 "CVE-2017-13726"
1 "CVE-2017-13727"
1 "CVE-2017-13745"
1 "CVE-2017-13746"
1 "CVE-2017-13747"
1 "CVE-2017-13748"
1 "CVE-2017-13749"
1 "CVE-2017-13750"
1 "CVE-2017-13751"
1 "CVE-2017-13752"
1 "CVE-2017-13757"
1 "CVE-2017-13768"
1 "CVE-2017-14060"
1 "CVE-2017-14062"
1 "CVE-2017-14128"
1 "CVE-2017-14129"
1 "CVE-2017-14130"
1 "CVE-2017-14132"
1 "CVE-2017-14137"
1 "CVE-2017-14138"
1 "CVE-2017-14139"
1 "CVE-2017-14159"
1 "CVE-2017-14172"
1 "CVE-2017-14173"
1 "CVE-2017-14174"
1 "CVE-2017-14175"
1 "CVE-2017-14229"
1 "CVE-2017-14249"
1 "CVE-2017-14324"
1 "CVE-2017-14325"
1 "CVE-2017-14326"
1 "CVE-2017-14333"
1 "CVE-2017-14341"
1 "CVE-2017-14342"
1 "CVE-2017-14343"
1 "CVE-2017-14400"
1 "CVE-2017-14505"
1 "CVE-2017-14528"
1 "CVE-2017-14529"
1 "CVE-2017-14531"
1 "CVE-2017-14532"
1 "CVE-2017-14533"
1 "CVE-2017-14624"
1 "CVE-2017-14625"
1 "CVE-2017-14626"
1 "CVE-2017-14684"
1 "CVE-2017-14729"
1 "CVE-2017-14739"
1 "CVE-2017-14741"
1 "CVE-2017-14745"
1 "CVE-2017-14930"
1 "CVE-2017-14932"
1 "CVE-2017-14933"
1 "CVE-2017-14934"
1 "CVE-2017-14938"
1 "CVE-2017-14939"
1 "CVE-2017-14940"
1 "CVE-2017-14974"
1 "CVE-2017-14988"
1 "CVE-2017-15015"
1 "CVE-2017-15016"
1 "CVE-2017-15017"
1 "CVE-2017-15020"
1 "CVE-2017-15021"
1 "CVE-2017-15022"
1 "CVE-2017-15023"
1 "CVE-2017-15024"
1 "CVE-2017-15025"
1 "CVE-2017-15032"
1 "CVE-2017-15033"
1 "CVE-2017-15088"
1 "CVE-2017-15116"
1 "CVE-2017-15129"
1 "CVE-2017-15217"
1 "CVE-2017-15218"
1 "CVE-2017-15225"
1 "CVE-2017-15232"
1 "CVE-2017-15281"
1 "CVE-2017-15298"
1 "CVE-2017-15412"
1 "CVE-2017-15422"
1 "CVE-2017-15670"
1 "CVE-2017-15671"
1 "CVE-2017-15804"
1 "CVE-2017-15868"
1 "CVE-2017-15906"
1 "CVE-2017-15938"
1 "CVE-2017-15996"
1 "CVE-2017-16231"
1 "CVE-2017-16232"
1 "CVE-2017-16526"
1 "CVE-2017-16538"
1 "CVE-2017-16645"
1 "CVE-2017-16826"
1 "CVE-2017-16827"
1 "CVE-2017-16828"
1 "CVE-2017-16829"
1 "CVE-2017-16830"
1 "CVE-2017-16831"
1 "CVE-2017-16832"
1 "CVE-2017-16879"
1 "CVE-2017-16932"
1 "CVE-2017-16939"
1 "CVE-2017-16997"
1 "CVE-2017-17080"
1 "CVE-2017-17095"
1 "CVE-2017-17121"
1 "CVE-2017-17122"
1 "CVE-2017-17123"
1 "CVE-2017-17124"
1 "CVE-2017-17125"
1 "CVE-2017-17126"
1 "CVE-2017-17448"
1 "CVE-2017-17449"
1 "CVE-2017-17450"
1 "CVE-2017-17458"
1 "CVE-2017-17484"
1 "CVE-2017-17499"
1 "CVE-2017-17504"
1 "CVE-2017-17512"
1 "CVE-2017-17522"
1 "CVE-2017-17558"
1 "CVE-2017-17680"
1 "CVE-2017-17681"
1 "CVE-2017-17682"
1 "CVE-2017-17740"
1 "CVE-2017-17741"
1 "CVE-2017-17805"
1 "CVE-2017-17806"
1 "CVE-2017-17807"
1 "CVE-2017-17879"
1 "CVE-2017-17880"
1 "CVE-2017-17881"
1 "CVE-2017-17882"
1 "CVE-2017-17883"
1 "CVE-2017-17884"
1 "CVE-2017-17885"
1 "CVE-2017-17886"
1 "CVE-2017-17887"
1 "CVE-2017-17914"
1 "CVE-2017-17934"
1 "CVE-2017-17942"
1 "CVE-2017-17973"
1 "CVE-2017-18008"
1 "CVE-2017-18013"
1 "CVE-2017-18017"
1 "CVE-2017-18018"
1 "CVE-2017-18022"
1 "CVE-2017-2518"
1 "CVE-2017-2519"
1 "CVE-2017-2520"
1 "CVE-2017-2616"
1 "CVE-2017-2625"
1 "CVE-2017-2626"
1 "CVE-2017-2870"
1 "CVE-2017-3737"
1 "CVE-2017-5130"
1 "CVE-2017-5498"
1 "CVE-2017-5499"
1 "CVE-2017-5500"
1 "CVE-2017-5501"
1 "CVE-2017-5502"
1 "CVE-2017-5504"
1 "CVE-2017-5505"
1 "CVE-2017-5563"
1 "CVE-2017-5715"
1 "CVE-2017-5753"
1 "CVE-2017-5754"
1 "CVE-2017-5969"
1 "CVE-2017-5972"
1 "CVE-2017-6312"
1 "CVE-2017-6313"
1 "CVE-2017-6314"
1 "CVE-2017-6502"
1 "CVE-2017-6850"
1 "CVE-2017-6851"
1 "CVE-2017-6852"
1 "CVE-2017-6965"
1 "CVE-2017-6966"
1 "CVE-2017-6969"
1 "CVE-2017-7186"
1 "CVE-2017-7210"
1 "CVE-2017-7223"
1 "CVE-2017-7224"
1 "CVE-2017-7225"
1 "CVE-2017-7226"
1 "CVE-2017-7227"
1 "CVE-2017-7244"
1 "CVE-2017-7245"
1 "CVE-2017-7246"
1 "CVE-2017-7275"
1 "CVE-2017-7299"
1 "CVE-2017-7300"
1 "CVE-2017-7301"
1 "CVE-2017-7302"
1 "CVE-2017-7303"
1 "CVE-2017-7304"
1 "CVE-2017-7407"
1 "CVE-2017-7475"
1 "CVE-2017-7544"
1 "CVE-2017-7614"
1 "CVE-2017-7960"
1 "CVE-2017-7961"
1 "CVE-2017-8283"
1 "CVE-2017-8393"
1 "CVE-2017-8394"
1 "CVE-2017-8395"
1 "CVE-2017-8396"
1 "CVE-2017-8397"
1 "CVE-2017-8398"
1 "CVE-2017-8421"
1 "CVE-2017-8804"
1 "CVE-2017-8824"
1 "CVE-2017-8834"
1 "CVE-2017-8871"
1 "CVE-2017-8872"
1 "CVE-2017-9038"
1 "CVE-2017-9039"
1 "CVE-2017-9040"
1 "CVE-2017-9041"
1 "CVE-2017-9042"
1 "CVE-2017-9043"
1 "CVE-2017-9044"
1 "CVE-2017-9110"
1 "CVE-2017-9111"
1 "CVE-2017-9112"
1 "CVE-2017-9113"
1 "CVE-2017-9114"
1 "CVE-2017-9115"
1 "CVE-2017-9116"
1 "CVE-2017-9117"
1 "CVE-2017-9462"
1 "CVE-2017-9500"
1 "CVE-2017-9742"
1 "CVE-2017-9743"
1 "CVE-2017-9744"
1 "CVE-2017-9745"
1 "CVE-2017-9746"
1 "CVE-2017-9747"
1 "CVE-2017-9748"
1 "CVE-2017-9749"
1 "CVE-2017-9750"
1 "CVE-2017-9751"
1 "CVE-2017-9752"
1 "CVE-2017-9753"
1 "CVE-2017-9754"
1 "CVE-2017-9755"
1 "CVE-2017-9756"
1 "CVE-2017-9782"
1 "CVE-2017-9814"
1 "CVE-2017-9815"
1 "CVE-2017-9935"
1 "CVE-2017-9937"
1 "CVE-2017-9954"
1 "CVE-2017-9955"
1 "CVE-2017-9984"
1 "CVE-2017-9985"
1 "CVE-2017-9986"
1 "CVE-2018-5246"
1 "CVE-2018-5247"
1 "CVE-2018-5248"
So most of the CVEs in this image should only appear once (except for "CVE-2017-11671"). But apparently Klar gives a different result.
from klar.
lli-hiya
commented on May 28, 2024
@hashmap Can you reproduce this behavior?
from klar.
hashmap
commented on May 28, 2024
@lli-hiya Not really, I see 533 vulns in my output, all are unique ones (see second command). I use klar 2.0 + clair-git image (clair 3.0).
$ klar git:(master) CLAIR_ADDR=http://localhost:6060 ./klar python | grep "^CVE" | uniq -u | wc -l
Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/python:latest to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value
533
$ klar git:(master) ✗ CLAIR_ADDR=http://localhost:6060 ./klar python | grep "^CVE" | wc -l
Failed to analyze using API v1: push image https://registry-1.docker.io/v2/library/python:latest to Clair failed: can't even read an error message: invalid character 'N' looking for beginning of value
533
from klar.
arush-sal
commented on May 28, 2024
Another weird but similar behaviour that I am facing is that klar is showing same CVE and description for multiple vulnerabilities in a single package. I am scanning the debian:stable-slim image, where klar is just displaying same CVE and description for all the vulnerabilities reported in glibc by clair.
- Versions of Klar and Clair: Klar - v2.1, clair - v2.0.1(
latestdocker image) - Output with tracing enabled - add KLAR_TRACE=true: https://pastebin.com/jaZ83CBA
- What layer id do you use in curl request: Image has a single layer.
- Could you reproduce this behavior on some public images?: Yes,
debian:stable-slim
So, clair output for glibc in json is as below:
"Name": "glibc",
"NamespaceName": "debian:9",
"VersionFormat": "dpkg",
"Version": "2.24-11+deb9u1",
"Vulnerabilities": [
{
"Name": "CVE-2016-10228",
"NamespaceName": "debian:9",
"Description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2016-10228",
"Severity": "Medium",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 4.3,
"Vectors": "AV:N/AC:M/Au:N/C:N/I:N"
}
}
}
},
{
"Name": "CVE-2017-8804",
"NamespaceName": "debian:9",
"Description": "The xdr_bytes and xdr_string functions in the GNU C Library (aka glibc or libc6) 2.25 mishandle failures of buffer deserialization, which allows remote attackers to cause a denial of service (virtual memory allocation, or memory consumption if an overcommit setting is not used) via a crafted UDP packet to port 111, a related issue to CVE-2017-8779.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2017-8804",
"Severity": "High",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 7.8,
"Vectors": "AV:N/AC:L/Au:N/C:N/I:N"
}
}
}
},
{
"Name": "CVE-2017-16997",
"NamespaceName": "debian:9",
"Description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2017-16997",
"Severity": "High",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 9.3,
"Vectors": "AV:N/AC:M/Au:N/C:C/I:C"
}
}
}
},
.
<output truncated for readability>
.
{
"Name": "CVE-2017-1000408",
"NamespaceName": "debian:9",
"Description": "A memory leak in glibc 2.1.1 (released on May 24, 1999) can be reached and amplified through the LD_HWCAP_MASK environment variable. Please note that many versions of glibc are not vulnerable to this issue if patched for CVE-2017-1000366.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2017-1000408",
"Severity": "High",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 7.2,
"Vectors": "AV:L/AC:L/Au:N/C:C/I:C"
}
}
}
},
{
"Name": "CVE-2018-1000001",
"NamespaceName": "debian:9",
"Description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"Link": "https://security-tracker.debian.org/tracker/CVE-2018-1000001",
"Severity": "High",
"Metadata": {
"NVD": {
"CVSSv2": {
"Score": 7.2,
"Vectors": "AV:L/AC:L/Au:N/C:C/I:C"
}
}
}
}
]What klar reports:
Got results from Clair API v1
Found 40 vulnerabilities
CVE-2016-2779: [High]
Found in: util-linux
runuser in util-linux allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.
https://security-tracker.debian.org/tracker/CVE-2016-2779
-----------------------------------------
CVE-2018-1000001: [High]
Found in: glibc
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
https://security-tracker.debian.org/tracker/CVE-2018-1000001
-----------------------------------------
CVE-2018-1000001: [High]
Found in: glibc
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
https://security-tracker.debian.org/tracker/CVE-2018-1000001
-----------------------------------------
CVE-2018-1000001: [High]
Found in: glibc
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
https://security-tracker.debian.org/tracker/CVE-2018-1000001
-----------------------------------------
CVE-2018-1000001: [High]
Found in: glibc
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
https://security-tracker.debian.org/tracker/CVE-2018-1000001
-----------------------------------------
CVE-2018-1000001: [High]
Found in: glibc
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
https://security-tracker.debian.org/tracker/CVE-2018-1000001
-----------------------------------------
.
<output truncated for readability>
.
-----------------------------------------
CVE-2018-1000001: [High]
Found in: glibc
In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.
https://security-tracker.debian.org/tracker/CVE-2018-1000001
-----------------------------------------
Unknown: 10
Negligible: 11
Medium: 1
High: 18
from klar.
commented on May 28, 2024
I'm also seeing duplicates.
Running latest Clair as per their documentation.
quay.io/coreos/clair:latest
Running as CLAIR_ADDR=localhost JSON_OUTPUT=true ./klar-2.0.1-linux-amd64 node
For example scanning node:latest I see a huge output and some of it looks like this:
{
"Name": "CVE-2018-5730",
"NamespaceName": "debian:8",
"Link": "https://security-tracker.debian.org/tracker/CVE-2018-5730",
"Severity": "Unknown",
"featureName": "krb5"
},
{
"Name": "CVE-2018-5730",
"NamespaceName": "debian:8",
"Link": "https://security-tracker.debian.org/tracker/CVE-2018-5730",
"Severity": "Unknown",
"featureName": "krb5"
},
{
"Name": "CVE-2018-5730",
"NamespaceName": "debian:8",
"Link": "https://security-tracker.debian.org/tracker/CVE-2018-5730",
"Severity": "Unknown",
"featureName": "krb5"
},
from klar.
commented on May 28, 2024
I think what is happening may be that a vulnerability is detected in multiple layers?
from klar.
hashmap
commented on May 28, 2024
Hm, still can't reproduce, tried both debian:stable-slim and node, no duplicates.
from klar.
hashmap
commented on May 28, 2024
@pauvos thanks for detailed report, still can't reproduce it locally, for debian:7 I got:
Unknown: 3
Negligible: 20
Low: 5
Medium: 8
High: 10
trying to get clair:v2.0.2 running, perhaps it's V1 issue
from klar.
hashmap
commented on May 28, 2024
Hi all, would you mind to check version 2.1.0? Please let me know if the issue still exists. Thanks!
from klar.
philenz
commented on May 28, 2024
Version 2.1.0 has fixed the duplicate issue for me.
Thank you so much :-)
So I'm running Klar 2.1.0 against Clair latest (v2.0.3).
from klar.
hashmap
commented on May 28, 2024
Ok, I'm closing the issue for now, please let me know if it needs to be reopened
from klar.
Related Issues (20)
- Allow for comments in whitelist file HOT 1
- bug: Basic Auth Header should be Case-Insensitive => Nexus 3 Registry does not work with klar HOT 1
- Do you consider add builded image to hub.docker.com? HOT 1
- Can't pull image: Token request returned 400
- Unable to install klar from the source code using the go get command.
- Change whitelist and blacklist terms HOT 6
- Can't pull fsLayers "authentication required" HOT 2
- go get fails HOT 10
- [Help Needed]How to fetch layer information from klar reponse.
- Repo seems abandoned, is it? HOT 2
- Is Klar getting a release to support clair 4.0.4?
- Klar not able to connect to clair server
- support oci images
- Klar giving empty json o/p intermittently
- Feature: Show all vulnerabilities regardless of CLAIR_OUTPUT value with only selected level and higher are count towards the CLAIR_THRESHOLD
- Klar can not be connectred with clair deployed on openshift
- Klar(2.4.0) does not white list specific images HOT 1
- Feature: Klar check whitelisted CVEs and notify on CVE changed Vector (Score)
- Feature: Klar should be able to scan OCI images
- [BUG] Klar always scans amd64 architecture image although DOCKER_PLATFORM_ARCH=arm64 for multi architecture images
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from klar.