False positive for bind-license package in centos:7 image

[tspearconquest]

IDs

CVE-2023-2828

Description

The centos:7 image is being reported as having CVE-2023-2828 in the bind-license package. This is simply a package containing a single file called COPYRIGHT, as evidenced below:

[root@4aa82d8cab7e /]# rpm -ql bind-license
/usr/share/licenses/bind-license-9.11.4
/usr/share/licenses/bind-license-9.11.4/COPYRIGHT

Please stop flagging CVEs for this package.

Reproduction Steps

1. docker pull centos:7
2. trivy image centos:7 --format json 2>/dev/null |yq e '.Results[] | select(.Class == "os-pkgs") | .Vulnerabilities[] | select(.VulnerabilityID == "CVE-2023-2828") | .PkgID'

Target

Container Image

Scanner

Vulnerability

Target OS

CentOS 7

Debug Output

If needed, I will supply it, but the vulnerability list in the default image without any yum update is huge, so I'd rather not...

Version

Version: 0.38.3
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-07-20 12:11:37.696263932 +0000 UTC
  NextUpdate: 2023-07-20 18:11:37.696263532 +0000 UTC
  DownloadedAt: 2023-07-20 18:03:58.875999 +0000 UTC
Policy Bundle:
  Digest: sha256:714272c66dfff71107a717b64960f00d54883d7268e30e321cbe89c9ecac0f93
  DownloadedAt: 2023-03-28 15:00:59.31549 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[DmitriyLewen]

Hello @tspearconquest
Thanks for your report!

We don't create advisories, we just get them from datasourses.
RedHat advisories contains this package.

Take a look at updated packages for RHSA-2023:4152. This advisory included bind-license package.
Same for RedHat Oval.
This is cretieans from https://www.redhat.com/security/data/oval/v2/RHEL7/ rhel-7.oval.xml.bz2 (lines 155186-155258):

<definition class="patch" id="oval:com.redhat.rhsa:def:20234152" version="634">
 <metadata>
  <title>RHSA-2023:4152: bind security update (Important)</title>
  <affected family="unix">
   <platform>Red Hat Enterprise Linux 7</platform>
  </affected>
  <reference ref_id="RHSA-2023:4152" ref_url="https://access.redhat.com/errata/RHSA-2023:4152" source="RHSA"/>
  <reference ref_id="CVE-2023-2828" ref_url="https://access.redhat.com/security/cve/CVE-2023-2828" source="CVE"/>
  <description>The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly.

Security Fix(es):

* bind: named's configured cache size limit can be significantly exceeded (CVE-2023-2828)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.</description>
  <advisory from="[email protected]">
   <severity>Important</severity>
   <rights>Copyright 2023 Red Hat, Inc.</rights>
   <issued date="2023-07-18"/>
   <updated date="2023-07-18"/>
   <cve cvss3="7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" href="https://access.redhat.com/security/cve/CVE-2023-2828" impact="important" public="20230621">CVE-2023-2828</cve>
   <bugzilla href="https://bugzilla.redhat.com/2216227" id="2216227">named's configured cache size limit can be significantly exceeded</bugzilla>
   <affected_cpe_list>
    <cpe>cpe:/a:redhat:rhel_extras:7</cpe>
    <cpe>cpe:/a:redhat:rhel_extras_oracle_java:7</cpe>
    <cpe>cpe:/a:redhat:rhel_extras_rt:7</cpe>
    <cpe>cpe:/a:redhat:rhel_extras_sap:7</cpe>
    <cpe>cpe:/a:redhat:rhel_extras_sap_hana:7</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::client</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::computenode</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::server</cpe>
    <cpe>cpe:/o:redhat:enterprise_linux:7::workstation</cpe>
   </affected_cpe_list>
  </advisory>
 </metadata>
 <criteria operator="OR">
  <criterion comment="Red Hat Enterprise Linux must be installed" test_ref="oval:com.redhat.rhba:tst:20150364028"/>
  <criteria operator="AND">
   <criterion comment="Red Hat Enterprise Linux 7 is installed" test_ref="oval:com.redhat.rhba:tst:20150364027"/>
   <criteria operator="OR">
    <criteria operator="AND">
     <criterion comment="bind is earlier than 32:9.11.4-26.P2.el7_9.14" test_ref="oval:com.redhat.rhsa:tst:20234152001"/>
     <criterion comment="bind is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20171767002"/>
    </criteria>
   ...
    <criteria operator="AND">
     <criterion comment="bind-license is earlier than 32:9.11.4-26.P2.el7_9.14" test_ref="oval:com.redhat.rhsa:tst:20234152015"/>
     <criterion comment="bind-license is signed with Red Hat redhatrelease2 key" test_ref="oval:com.redhat.rhba:tst:20171767012"/>
    </criteria>

You can use Open policy agent to filter this CVE by package name and|or CVE number.

Regards, Dmitriy

[sozercan]

I have a seperate issue with this package in centos. Trivy reports bind-license 9.11.4-26.P2.el7_9.14 is the fixed version. However, this package version does not exist in centos repo. Latest at this time is .13: https://centos.pkgs.org/7/centos-updates-aarch64/bind-license-9.11.4-26.P2.el7_9.13.noarch.rpm.html

[tspearconquest]

Hey sozercan, that's why I was reporting this issue originally, sorry I failed to mention that. What I did in my case was just remove the package from the image. The bind-license package isn't required by any other packages and only has one file in it, which is the copyright notice. Get Outlook for Android<https://aka.ms/AAb9ysg>

…

________________________________ From: Sertaç Özercan ***@***.***> Sent: Sunday, July 23, 2023 3:40:43 PM To: aquasecurity/trivy ***@***.***> Cc: Thomas Spear ***@***.***>; Mention ***@***.***> Subject: Re: [aquasecurity/trivy] False positive for bind-license package in centos:7 image (Discussion #4847) CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. I have a seperate issue with this package in centos. Trivy reports bind-license 9.11.4-26.P2.el7_9.14 is the fixed version. However, this package version does not exist. Latest at this time is .13: https://centos.pkgs.org/7/centos-updates-aarch64/bind-license-9.11.4-26.P2.el7_9.13.noarch.rpm.html — Reply to this email directly, view it on GitHub<#4847 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATRTFZ4PCUBZCUGQATCWUKDXRWD4XANCNFSM6AAAAAA2RZ3YVU>. You are receiving this because you were mentioned.Message ID: ***@***.***>