Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positive in Terraform binary: CVE-2018-9057 #1377

Closed
RothAndrew opened this issue Jul 5, 2023 · 3 comments
Closed

False Positive in Terraform binary: CVE-2018-9057 #1377

RothAndrew opened this issue Jul 5, 2023 · 3 comments
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive:cpe This issue is a report of a false positive cause by CPE matching

Comments

@RothAndrew
Copy link

What happened:

Grype reported that the version of Terraform in my container image was vulnerable to CVE-2018-9057. This is an old vulnerability in the AWS provider that was fixed after v1.12.0 of the AWS provider. Grype sees Terraform v1.5.2 and since 1.5.2 is less than 1.12.0 it reports the vulnerability, but Terraform and the Terraform AWS Provider are 2 completely separate binaries.

Here's the line from the grype report:

NAME                            INSTALLED                              FIXED-IN                             TYPE       VULNERABILITY        SEVERITY 
github.com/hashicorp/terraform  v1.5.2                                                                      go-module  CVE-2018-9057        Critical

What you expected to happen:

This vuln is not reported since my container image does not have the Terraform AWS Provider installed (just Terraform itself)

How to reproduce it (as minimally and precisely as possible):

  1. Create a Dockerfile that installed the latest version of Terraform and build the image
  2. Run Grype on the image

Here's a Dockerfile that demonstrates the issue. I use ASDF to install Terraform in my use case, though I would imagine that any method of installing Terraform will still result in the vulnerability being reported.

FROM rockylinux:9

RUN dnf install -y --refresh \
    git \
    unzip \
  && dnf clean all \
  && rm -rf /var/cache/yum/

# Install asdf. Get versions from https://github.com/asdf-vm/asdf/releases
ENV ASDF_VERSION=0.12.0
RUN git clone https://github.com/asdf-vm/asdf.git --branch v${ASDF_VERSION} --depth 1 "${HOME}/.asdf" \
  && echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.bashrc" \
  && echo -e '\nsource $HOME/.asdf/asdf.sh' >> "${HOME}/.profile" \
  && source "${HOME}/.asdf/asdf.sh"
ENV PATH="/root/.asdf/shims:/root/.asdf/bin:${PATH}"

RUN asdf plugin add terraform

RUN asdf install terraform 1.5.2

CMD ["/bin/bash"]
docker build . -t testimage
grype testimage

image

Anything else we need to know?:

Environment:

  • Output of grype version:
Application:          grype
Version:              0.63.1
Syft Version:         v0.84.1
BuildDate:            2023-06-30T15:49:26Z
GitCommit:            ecf9e65b951aed43098f0e5da4441a7e17f190af
GitDescription:       v0.63.1
Platform:             darwin/amd64
GoVersion:            go1.19.10
Compiler:             gc
Supported DB Schema:  5
  • OS (e.g: cat /etc/os-release or similar):

image

image

@RothAndrew RothAndrew added the bug Something isn't working label Jul 5, 2023
@tgerla tgerla added the false-positive:cpe This issue is a report of a false positive cause by CPE matching label Jul 6, 2023
@tgerla
Copy link
Contributor

tgerla commented Jul 6, 2023

Hi @RothAndrew, thanks for the report and the detailed steps to reproduce! We will take a look at this one as soon as we can.

@wagoodman
Copy link
Contributor

dev note: we could probably be filtering out this after we do the CPE search by looking at the package type vs the CPE target-software field to determine if the match is for the wrong ecosystem.

@spiffcs spiffcs added bug Something isn't working and removed bug Something isn't working labels Jul 19, 2023
@willmurphyscode willmurphyscode added the changelog-ignore Don't include this issue in the release changelog label Apr 19, 2024
@willmurphyscode
Copy link
Contributor

This no longer reproduces for me. Following test steps from the original post with | grep terraform, I see only GHSA-h626-pv66-hhm7, which seems to be a true positive (affects versions >=1.0.8,<1.5.7, installed version is 1.5.2).

This was most likely fixed by the switch from CVE to GHSA as the default matching source for Go vulnerabilities, which happened some time ago (hence the changelog-ignore label).

Please let me know if I've missed something.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working changelog-ignore Don't include this issue in the release changelog false-positive:cpe This issue is a report of a false positive cause by CPE matching
Projects
Archived in project
Development

No branches or pull requests

5 participants