Possible false positive caused by firefox installed with PPA in Ubuntu 22.04 #6792
Replies: 1 comment 1 reply
-
|
I think I understand the issue better now. But is there anything can be done in Trivy to support the deb package version? |
Beta Was this translation helpful? Give feedback.
-
|
Hello @kitshinghk-crypto For Ubuntu images we use Ubuntu database for all found deb packages. For now, if you are sure that this package is not vulnerable - you can useVEX . You need to create a VEX file where you can write the package, version, description (why this package is not vulnerable), etc. to ignore this CVE. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
-
IDs
CVE-2022-26486
Description
Trivy returns vulnerabilities findings in latest firefox package installed with PPA in ubuntu 22.04.
In https://ubuntu.com/security/CVE-2022-26486 , the fixed version for ubuntu jammy is 1:1snap1-0ubuntu1, which could be wrong, but the installed version 126.0+build2-0ubuntu0.22.04.1~mt1 is newer than 1:1snap1-0ubuntu1. It should not be detected by Trivy.
Reproduction Steps
1. Build a image with the following dockerfile FROM docker.io/library/ubuntu:22.04 RUN apt-get update \ && apt-get install -y --no-install-recommends software-properties-common gnupg \ && add-apt-repository --yes ppa:mozillateam/ppa \ && echo 'Package: firefox*' > /etc/apt/preferences.d/mozillateamppa \ && echo 'Pin: release o=LP-PPA-mozillateam' >> /etc/apt/preferences.d/mozillateamppa \ && echo 'Pin-Priority: 501' >> /etc/apt/preferences.d/mozillateamppa \ && apt-get update \ && apt-get install -y --no-install-recommends \ firefox 2. Run Trivy image 3. Trivy return a list of vulnerabilities from firefoxTarget
Container Image
Scanner
Vulnerability
Target OS
Ubuntu 22.04
Debug Output
Version
Checklist
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correctBeta Was this translation helpful? Give feedback.
All reactions