Unkown Github Vulnerability Id GMS-2022-20 #2034
Description
Description
Looking at the findings of #2033 we see GMS-2022-20 reported as a vulnerability id. This seems to be an unkown format.
What did you expect to happen?
I expected an id to be reported that I can find on the internet.
What happened instead?
Instead I found GHSA-qq97-vm5h-rrhg which seems to be the reported vulnerability but has a different id.
Also this vulnerability has already a CVE assigned. I'm not sure which id should be reported in that case.
Output of trivy -v:
$ docker run --rm ghcr.io/aquasecurity/trivy -v
Version: 0.26.0
Additional details (base image name, container registry info...):
Fun fact: the JSON output contains an URL using the correct id:
$ docker run --rm ghcr.io/aquasecurity/trivy image --no-progress --format json "ghcr.io/aquasecurity/trivy:latest";
2022-04-24T08:14:59.569Z INFO Need to update DB
2022-04-24T08:14:59.569Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2022-04-24T08:14:59.569Z INFO Downloading DB...
2022-04-24T08:15:15.234Z INFO Detected OS: alpine
2022-04-24T08:15:15.234Z INFO Detecting Alpine vulnerabilities...
2022-04-24T08:15:15.236Z INFO Number of language-specific files: 1
2022-04-24T08:15:15.237Z INFO Detecting gobinary vulnerabilities...
{
"SchemaVersion": 2,
"ArtifactName": "ghcr.io/aquasecurity/trivy:latest",
"ArtifactType": "container_image",
"Metadata": {
"OS": {
"Family": "alpine",
"Name": "3.15.4"
},
"ImageID": "sha256:3d3fe4d90c2648d406fb42e25bedcd8beafb1d5750f731fcb38dc506ff91c428",
"DiffIDs": [
"sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628",
"sha256:6f205b10b84baad10e15534d8ecb58c3cef7b93361dd946140fb5ab1eee2334f",
"sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278",
"sha256:76d354fed9826ed2afca61922e3343243cda023939d255740a8a654db1e72561"
],
"RepoTags": [
"ghcr.io/aquasecurity/trivy:latest"
],
"RepoDigests": [
"ghcr.io/aquasecurity/trivy@sha256:0b3962fc8ce69ebbba9ae719cc54f53ccf9e523a54373f6719d01dc7fbd47517"
],
"ImageConfig": {
"architecture": "amd64",
"created": "2022-04-15T21:40:11.61701653Z",
"history": [
{
"created": "2022-04-05T00:19:59.790636867Z",
"created_by": "/bin/sh -c #(nop) ADD file:5d673d25da3a14ce1f6cf66e4c7fd4f4b85a3759a9d93efb3fd9ff852b5b56e4 in / "
},
{
"created": "2022-04-05T00:19:59.912662499Z",
"created_by": "/bin/sh -c #(nop) CMD [\"/bin/sh\"]",
"empty_layer": true
},
{
"created": "2022-04-15T21:40:11.34401628Z",
"created_by": "RUN /bin/sh -c apk --no-cache add ca-certificates git # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2022-04-15T21:40:11.60053656Z",
"created_by": "COPY trivy /usr/local/bin/trivy # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2022-04-15T21:40:11.61701653Z",
"created_by": "COPY contrib/*.tpl contrib/ # buildkit",
"comment": "buildkit.dockerfile.v0"
},
{
"created": "2022-04-15T21:40:11.61701653Z",
"created_by": "ENTRYPOINT [\"trivy\"]",
"comment": "buildkit.dockerfile.v0",
"empty_layer": true
}
],
"os": "linux",
"rootfs": {
"type": "layers",
"diff_ids": [
"sha256:4fc242d58285699eca05db3cc7c7122a2b8e014d9481f323bd9277baacfa0628",
"sha256:6f205b10b84baad10e15534d8ecb58c3cef7b93361dd946140fb5ab1eee2334f",
"sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278",
"sha256:76d354fed9826ed2afca61922e3343243cda023939d255740a8a654db1e72561"
]
},
"config": {
"Entrypoint": [
"trivy"
],
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Labels": {
"org.opencontainers.image.created": "2022-04-15T21:25:39Z",
"org.opencontainers.image.description": "A Fast Vulnerability Scanner for Containers",
"org.opencontainers.image.documentation": "https://aquasecurity.github.io/trivy/v0.26.0/",
"org.opencontainers.image.revision": "a0047a7983b4b598f27706391cd6f89a63450653",
"org.opencontainers.image.source": "https://github.com/aquasecurity/trivy",
"org.opencontainers.image.title": "trivy",
"org.opencontainers.image.url": "https://www.aquasec.com/products/trivy/",
"org.opencontainers.image.vendor": "Aqua Security",
"org.opencontainers.image.version": "0.26.0"
}
}
}
},
"Results": [
{
"Target": "ghcr.io/aquasecurity/trivy:latest (alpine 3.15.4)",
"Class": "os-pkgs",
"Type": "alpine"
},
{
"Target": "usr/local/bin/trivy",
"Class": "lang-pkgs",
"Type": "gobinary",
"Vulnerabilities": [
{
"VulnerabilityID": "GMS-2022-20",
"PkgName": "github.com/docker/distribution",
"InstalledVersion": "v2.7.1+incompatible",
"FixedVersion": "v2.8.0",
"Layer": {
"Digest": "sha256:b4ece3d4aa62cc36c31b3dbafe4d79af9a25f2a3a11daa052bbeea21aed25de9",
"DiffID": "sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278"
},
"DataSource": {
"ID": "glad",
"Name": "GitLab Advisory Database Community",
"URL": "https://gitlab.com/gitlab-org/advisories-community"
},
"Title": "OCI Manifest Type Confusion Issue",
"Description": "### Impact\n\nSystems that rely on digest equivalence for image attestations may be vulnerable to type confusion.",
"Severity": "UNKNOWN",
"References": [
"https://github.com/advisories/GHSA-qq97-vm5h-rrhg",
"https://github.com/distribution/distribution/commit/b59a6f827947f9e0e67df0cfb571046de4733586",
"https://github.com/distribution/distribution/security/advisories/GHSA-qq97-vm5h-rrhg",
"https://github.com/opencontainers/image-spec/pull/411"
]
},
{
"VulnerabilityID": "CVE-2022-27191",
"PkgName": "golang.org/x/crypto",
"InstalledVersion": "v0.0.0-20220208233918-bba287dce954",
"FixedVersion": "0.0.0-20220315160706-3147a52a75dd",
"Layer": {
"Digest": "sha256:b4ece3d4aa62cc36c31b3dbafe4d79af9a25f2a3a11daa052bbeea21aed25de9",
"DiffID": "sha256:799e077522e2875ed8fae2317c434543179b09e609f75e15bbe56dc3eaad1278"
},
"SeveritySource": "nvd",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-27191",
"DataSource": {
"ID": "glad",
"Name": "GitLab Advisory Database Community",
"URL": "https://gitlab.com/gitlab-org/advisories-community"
},
"Title": "golang: crash in a golang.org/x/crypto/ssh server",
"Description": "The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.",
"Severity": "HIGH",
"CweIDs": [
"CWE-327"
],
"CVSS": {
"nvd": {
"V2Vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V2Score": 4.3,
"V3Score": 7.5
},
"redhat": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"V3Score": 7.5
}
},
"References": [
"https://access.redhat.com/security/cve/CVE-2022-27191",
"https://github.com/advisories/GHSA-8c26-wmh5-6g9v",
"https://groups.google.com/g/golang-announce",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s",
"https://groups.google.com/g/golang-announce/c/-cp44ypCT5s/m/wmegxkLiAQAJ",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/HHGBEGJ54DZZGTXFUQNS7ZIG3E624YAF/",
"https://lists.fedoraproject.org/archives/list/[email protected]/message/QTFOIDHQRGNI4P6LYN6ILH5G443RYYKB/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-27191"
],
"PublishedDate": "2022-03-18T07:15:00Z",
"LastModifiedDate": "2022-04-21T23:15:00Z"
}
]
}
]
}
looking at:
"Vulnerabilities": [
{
"VulnerabilityID": "GMS-2022-20",
...
"References": [
"https://github.com/advisories/GHSA-qq97-vm5h-rrhg",