Trivy doesn not detect CVE-2023-31419 for elasticsearch-7.10.2.jar

[navzen2000]

Description

Trivy does not report CVE-2023-31419 for elasticsearch-7.10.2.jar when scanned against docker image

Desired Behavior

CVE-2023-31419 to be reported for elasticsearch-7.10.2.jar

Actual Behavior

CVE-2023-31419 not reported for elasticsearch-7.10.2.jar

Reproduction Steps

1.Scan an image containing elasticsearch-7.10.2.jar 
2.
3.
...

Target

Container Image

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

2023-11-14T00:59:04.945-0800    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-14T00:59:04.946-0800    DEBUG   Ignore statuses {"statuses": null}
2023-11-14T00:59:04.947-0800    DEBUG   cache dir:  /.cache/trivy
2023-11-14T00:59:04.947-0800    DEBUG   DB update was skipped because the local DB is the latest
2023-11-14T00:59:04.947-0800    DEBUG   DB Schema: 2, UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC, NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC, DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
2023-11-14T00:59:04.947-0800    INFO    Vulnerability scanning is enabled
2023-11-14T00:59:04.947-0800    DEBUG   Vulnerability type:  [os library]
2023-11-14T00:59:04.950-0800    DEBUG   The nuget packages directory couldn't be found. License search disabled
2023-11-14T00:59:04.950-0800    DEBUG   Image ID: sha256:0f5b76ffb23525eceaf59f3878a1333a4c83064a037b3f3c43fb020230c92f5f
2023-11-14T00:59:04.950-0800    DEBUG   Diff IDs: [sha256:b831f8c371d40393e7b66f66361e049e5a94bb1100a15bacbb6983b0133c8ea3 sha256:e04e40f2189817ace73d6292b102812f61481a398c930d7deee094740d62f644 sha256:ffbc0b05c4fbbf311841e69a82d57d716dc20cf4dc1544276c2cadced3995233 sha256:754d2cb3a7ef8976fdfc4d94860ff3b636943da94f92b5d07f7250f115b422c8 sha256:576f2d2a5792b6cde31c8e816fe478cc15d879b0b68f7c604a3c619c106e9e19 sha256:39097e0285136a3e472309d0fa71d101605aaa1334ddb5980b19b47d64a8ef86 sha256:60f7cb83ed77d717cf0a8c21e0c1eee4b4acbd06cfee626a1a2fdb0eab5a78a3 sha256:f84ce08e0855e4848815ab3dbd553c2e5ff404bc74d5db30e664ccb03c6b84be sha256:fc4e5440d43ab71ab497a1d33f6957e9e7e7395c897393cd61b3ceee7a1c4544 sha256:9e9d191e68ab6ad6b33a5a499ff63c4a8e1ab4261a038e3decf48def3e9c9e20 sha256:fa2a340ce9167eec27b6831a39d4866bd79ee61f2379f5f4f4857ba2841051ed sha256:039eac1cb51e210e14581cefa28ba20191ece4bbdbacbb19be60383599371176]
2023-11-14T00:59:04.950-0800    DEBUG   Base Layers: [sha256:b831f8c371d40393e7b66f66361e049e5a94bb1100a15bacbb6983b0133c8ea3]
2023-11-14T00:59:04.966-0800    INFO    Detected OS: oracle
2023-11-14T00:59:04.966-0800    INFO    Detecting Oracle Linux vulnerabilities...
2023-11-14T00:59:04.966-0800    DEBUG   Oracle Linux: os version: 8
2023-11-14T00:59:04.966-0800    DEBUG   Oracle Linux: the number of packages: 179
2023-11-14T00:59:04.971-0800    INFO    Number of language-specific files: 1
2023-11-14T00:59:04.971-0800    INFO    Detecting jar vulnerabilities...
2023-11-14T00:59:04.971-0800    DEBUG   Detecting library vulnerabilities, type: jar, path:

Operating System

linux

Version

trivy --version
Version: 0.46.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC
  NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC
  DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-11-14 00:47:12.884424656 +0000 UTC
  NextUpdate: 2023-11-17 00:47:12.884424406 +0000 UTC
  DownloadedAt: 2023-11-14 05:42:29.138768601 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @navzen2000
Thanks for your report!

I downloaded elasticsearch-7.10.2.jar from maven reposirty and Trivy correct detected CVE-2023-31419 for this jar:

➜ wget https://repo1.maven.org/maven2/org/elasticsearch/elasticsearch/7.10.2/elasticsearch-7.10.2.jar
--2023-11-14 16:04:04--  https://repo1.maven.org/maven2/org/elasticsearch/elasticsearch/7.10.2/elasticsearch-7.10.2.jar
Resolving repo1.maven.org (repo1.maven.org)... 146.75.116.209
Connecting to repo1.maven.org (repo1.maven.org)|146.75.116.209|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13052737 (12M) [application/java-archive]
Saving to: ‘elasticsearch-7.10.2.jar’

elasticsearch-7.10. 100%[===================>]  12,45M  17,2MB/s    in 0,7s    

2023-11-14 16:04:05 (17,2 MB/s) - ‘elasticsearch-7.10.2.jar’ saved [13052737/13052737]

➜ trivy -d rootfs ./elasticsearch-7.10.2.jar 
...

Java (jar)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│                          Library                           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                             │
├────────────────────────────────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ org.elasticsearch:elasticsearch (elasticsearch-7.10.2.jar) │ CVE-2023-31418 │ HIGH     │ fixed  │ 7.10.2            │ 7.17.13, 8.9.0 │ elasticsearch: uncontrolled resource consumption             │
│                                                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-31418                   │
│                                                            ├────────────────┼──────────┤        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-22134 │ MEDIUM   │        │                   │ 7.11.0         │ elasticsearch: requests do not properly apply security       │
│                                                            │                │          │        │                   │                │ permissions when executing a query...                        │
│                                                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2021-22134                   │
│                                                            ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-22135 │          │        │                   │ 7.11.2, 6.8.15 │ elasticsearch: Document disclosure flaw in the Elasticsearch │
│                                                            │                │          │        │                   │                │ suggester                                                    │
│                                                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2021-22135                   │
│                                                            ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2021-22144 │          │        │                   │ 6.8.17, 7.13.3 │ uncontrolled recursion in Grok parser                        │
│                                                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2021-22144                   │
│                                                            ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-31417 │          │        │                   │ 7.17.13, 8.9.2 │ Sensitive information in audit logs                          │
│                                                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-31417                   │
│                                                            ├────────────────┤          │        │                   ├────────────────┼──────────────────────────────────────────────────────────────┤
│                                                            │ CVE-2023-31419 │          │        │                   │ 7.17.13, 8.9.1 │ elasticsearch: StackOverflow vulnerability                   │
│                                                            │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-31419                   │
└────────────────────────────────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

Are you sure your image contains correct version of elasticsearch-7.10.2.jar?

Regards, Dmitriy

[navzen2000]

@DmitriyLewen Thanks for you response.
Please consider below 2 runs:

Trivy 0.46.1

trivy -d rootfs ./elasticsearch-7.10.2.jar
2023-11-14T02:33:55.320-0800 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-11-14T02:33:55.321-0800 DEBUG Ignore statuses {"statuses": null}
2023-11-14T02:33:55.322-0800 DEBUG cache dir: /home/navegupt/.cache/trivy
2023-11-14T02:33:55.323-0800 DEBUG DB update was skipped because the local DB is the latest
2023-11-14T02:33:55.323-0800 DEBUG DB Schema: 2, UpdatedAt: 2023-11-14 06:11:22.596137326 +0000 UTC, NextUpdate: 2023-11-14 12:11:22.596136965 +0000 UTC, DownloadedAt: 2023-11-14 07:02:27.097608587 +0000 UTC
2023-11-14T02:33:55.323-0800 INFO Vulnerability scanning is enabled
2023-11-14T02:33:55.323-0800 DEBUG Vulnerability type: [os library]
2023-11-14T02:33:55.323-0800 INFO Secret scanning is enabled
2023-11-14T02:33:55.323-0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-14T02:33:55.323-0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2023-11-14T02:33:55.323-0800 DEBUG No secret config detected: trivy-secret.yaml
2023-11-14T02:33:55.323-0800 DEBUG The nuget packages directory couldn't be found. License search disabled
2023-11-14T02:33:55.323-0800 DEBUG Walk the file tree rooted at 'elasticsearch-7.10.2.jar' in parallel
2023-11-14T02:33:55.324-0800 DEBUG Parsing Java artifacts... {"file": "elasticsearch-7.10.2.jar"}
2023-11-14T02:33:55.346-0800 DEBUG No such POM in the central repositories {"file": "elasticsearch-7.10.2.jar"}
2023-11-14T02:33:55.355-0800 DEBUG POM was determined in a heuristic way {"file": "elasticsearch-7.10.2.jar", "artifact": "software.amazon.awssdk:elasticsearch:7.10.2"}
2023-11-14T02:33:55.358-0800 DEBUG OS is not detected.
2023-11-14T02:33:55.358-0800 DEBUG Detected OS: unknown
2023-11-14T02:33:55.358-0800 INFO Number of language-specific files: 1
2023-11-14T02:33:55.358-0800 INFO Detecting jar vulnerabilities...
2023-11-14T02:33:55.358-0800 DEBUG Detecting library vulnerabilities, type: jar, path:

Grype 0.65.2
grype elasticsearch-7.10.2.jar
✔ Vulnerability DB [no update available]
✔ Indexed file system /scratch/navegupt/grype
✔ Cataloged packages [1 packages]
✔ Scanned for vulnerabilities [6 vulnerabilities]
├── 0 critical, 3 high, 3 medium, 0 low, 0 negligible
└── 0 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
elasticsearch 7.10.2 java-archive CVE-2023-31419 High
elasticsearch 7.10.2 java-archive CVE-2023-31418 High
elasticsearch 7.10.2 java-archive CVE-2023-31417 High
elasticsearch 7.10.2 java-archive CVE-2021-22145 Medium
elasticsearch 7.10.2 java-archive CVE-2021-22144 Medium
elasticsearch 7.10.2 java-archive CVE-2021-22134 Medium

This elasticsearch jar was built from source, and other FOSS tools like Grype was able to detect signature (for comparison), while Trivy failed to do so. Can you please tell us what are you exactly looking inside the jar file to detect the signature.

[DmitriyLewen]

We check pom.properties and MANIFEST.MF files - https://github.com/aquasecurity/go-dep-parser/blob/d61bf8be0f05d23b62b065b5861d8cba14a83aa2/pkg/java/jar/parse.go#L99

Can you tell me how you build this jar?
It's strange that your jar doesn't match the jar from the Maven repository.

[navzen2000]

Here is the MANIFEST.MF file inside META-INF folder (obfuscated)
Let me know what are you looking here?

Manifest-Version: 1.0
Multi-Release: true
Module-Origin: ssh://[email protected]@alm.abc.com:2222/mypps-ppt_50501/elasticsearch.git
Change: 909e1cc71def087253228a00143c1f778afa36a5
X-Compile-Elasticsearch-Version: 7.10.2-SNAPSHOT
X-Compile-Lucene-Version: 8.7.0
X-Compile-Elasticsearch-Snapshot: true
Implementation-Title: org.elasticsearch#server;7.10.2-SNAPSHOT
Implementation-Version: 7.10.2-SNAPSHOT
Built-Status: integration
Built-By: root
Built-OS: Linux
Build-Date: 2022-10-21T18:35:40.815186Z
Gradle-Version: 6.6.1
Created-By: 12.0.2+9 
Build-Java-Version: 12
X-Compile-Target-JDK: 1.8
X-Compile-Source-JDK: 1.8

[DmitriyLewen]

We check the following fields: - https://github.com/aquasecurity/go-dep-parser/blob/d61bf8be0f05d23b62b065b5861d8cba14a83aa2/pkg/java/jar/parse.go#L313-L333

[navzen2000]

@DmitriyLewen I think there is more to this check, simply replacing the MANIFEST file with maven one does not work with detection

[DmitriyLewen]

we try to find GroupID by ArtifactID and Version.
But it is not possible to find ArtifactID by GroupID and Version.
there are multiple products (artifactID) for same GroupID and same version for each product.

E.g. there are cases when version is set in BOM files and all products use this version.

[navzen2000]

@DmitriyLewen In order to get coverage for locally built jars from same source, atleast cpe match can be done against name of the jar itself if GAV cannot be ascertained. In our case, jar name(elasticsearch-7.10.2.jar) matches NVD cpe.
I understand, you may not accept it as default behaviour for many good reasons, but atleast tool can accept additional parameter like --paranoidMode=true to help users like me and enable detection based on jar name itself.

Please let me know your thoughts. My concern here is other tools like Grype can identify it, so why Trivy can not.

[DmitriyLewen]

We try to find by file name:

2023-11-22T10:37:24.279+0600	DEBUG	POM was determined in a heuristic way	{"file": "elasticsearch-7.10.2.jar", "artifact": "software.amazon.awssdk:elasticsearch:7.10.2"}

But I got an idea how we can improve our logic.

I'll make changes and write to you.

[DmitriyLewen]

@navzen2000 FYI - created #5627

[navzen2000]

Thank you @DmitriyLewen for your kind consideration!

[DmitriyLewen]

I'm closing this question because #5627 consolidates the issues in this discussion.