Running with gitlab-runner 13.1.0 (6214287e)  on p1-public-apps-runner-gitlab-runner-77cb6b657c-vdcxv 1wxxGLSt section_start:1599705455:prepare_executor Preparing the "kubernetes" executor Using Kubernetes namespace: public-gitlab-runner Using Kubernetes executor with image aquasec/trivy:0.9.0 ... section_end:1599705455:prepare_executor section_start:1599705455:prepare_script Preparing environment Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1910-concurrent-07rln6 to be running, status is Pending Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1910-concurrent-07rln6 to be running, status is Pending Running on runner-1wxxglst-project-1910-concurrent-07rln6 via p1-public-apps-runner-gitlab-runner-77cb6b657c-vdcxv... section_end:1599705461:prepare_script section_start:1599705461:get_sources Getting source from Git repository Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/platform-one/apps/mongodb-exporter/.git/ Created fresh repository. Checking out a352d1fb as master... Skipping Git submodules setup section_end:1599705462:get_sources section_start:1599705462:step_script Executing "step_script" stage of the job script $ apk add skopeo fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz (1/26) Installing device-mapper-libs (2.02.186-r0) (2/26) Installing libgpg-error (1.36-r2) (3/26) Installing libassuan (2.5.3-r0) (4/26) Installing libffi (3.2.1-r6) (5/26) Installing libblkid (2.34-r1) (6/26) Installing libmount (2.34-r1) (7/26) Installing pcre (8.43-r0) (8/26) Installing glib (2.62.6-r0) (9/26) Installing ncurses-terminfo-base (6.1_p20200118-r4) (10/26) Installing ncurses-libs (6.1_p20200118-r4) (11/26) Installing libgcrypt (1.8.5-r0) (12/26) Installing libsecret (0.19.1-r0) (13/26) Installing pinentry (1.1.0-r2) Executing pinentry-1.1.0-r2.post-install (14/26) Installing gmp (6.1.2-r1) (15/26) Installing nettle (3.5.1-r0) (16/26) Installing p11-kit (0.23.18.1-r0) (17/26) Installing libtasn1 (4.15.0-r0) (18/26) Installing libunistring (0.9.10-r0) (19/26) Installing gnutls (3.6.15-r0) (20/26) Installing libksba (1.3.5-r0) (21/26) Installing libsasl (2.1.27-r5) (22/26) Installing libldap (2.4.48-r2) (23/26) Installing npth (1.6-r0) (24/26) Installing gnupg (2.2.19-r0) (25/26) Installing gpgme (1.13.1-r1) (26/26) Installing skopeo (0.1.40-r1) Executing busybox-1.31.1-r9.trigger OK: 79 MiB in 64 packages $ skopeo copy --screds $CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD docker://$IMAGE:$CI_COMMIT_SHORT_SHA oci:/image Getting image source signatures Copying blob sha256:522a7372a4aea514c26dd3402b14ff4de654010c3352b252b6e3974c44215d5d Copying blob sha256:cbe60fe4a8b18b60f84faa023c90a7ba64f48fb5249517db2a61c8ba96cc660e Copying blob sha256:fb78daee0fffa28cf99f7db8b80a6451a7d26d7608c87b12df3a88c11c7ab3f2 Copying blob sha256:3c566ab45064db5c5026ffa177ba88d15135b19a3373bcd026b1f874c165aa6a Copying blob sha256:0420dd52b080576a9787a8723523b24c4cbf1bce00bf7f7389049aa4962746d3 Copying blob sha256:5d91bca170739213a4810e75156f86ecf640272b088cbae542c2ab2c036f3762 Copying blob sha256:e894e8ff1fd3625940789ba099d42b7df18405b59b7af93034e6c5d9fd046d06 Copying config sha256:88d47c9fc9fc7de0ee43e4890319b071d78c001ec18945f75ad913f5c923c7c0 Writing manifest to image destination Storing signatures $ trivy --no-progress --input /image 2020-09-10T02:37:46.307Z INFO Need to update DB 2020-09-10T02:37:46.307Z INFO Downloading DB... 2020-09-10T02:37:49.286Z INFO Detecting Debian vulnerabilities... /image (debian 10.5) ==================== Total: 118 (UNKNOWN: 0, LOW: 96, MEDIUM: 22, HIGH: 0, CRITICAL: 0) +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | apt | CVE-2011-3374 | LOW | 1.8.2.1 | | It was found that apt-key | | | | | | | in apt, all versions, do not | | | | | | | correctly... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is | | | | | | | not equal to its real UID | | | | | | | the... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0841856-B18BAF | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-18018 | | | | coreutils: race condition | | | | | | | vulnerability in chown and | | | | | | | chgrp | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | curl | CVE-2020-8169 | MEDIUM | 7.64.0-4+deb10u1 | | libcurl: partial password leak | | | | | | | over DNS on HTTP redirect | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-8177 | | | | curl: Incorrect argument check | | | | | | | can allow remote servers to | | | | | | | overwrite local files... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | `CURLOPT_CONNECT_ONLY` option | | | | | | | set | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | gcc-8-base | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key | | | | | | | Certification Forgeries with | | | | | | | SHA-1 | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libapt-pkg5.0 | CVE-2011-3374 | | 1.8.2.1 | | It was found that apt-key | | | | | | | in apt, all versions, do not | | | | | | | correctly... | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libc-bin | CVE-2020-1751 | MEDIUM | 2.28-10 | | glibc: array overflow in | | | | | | | backtrace functions for | | | | | | | powerpc | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: | | | | | | | De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation can | | | | | | | cause excessive CPU and memory | | | | | | | consumption due to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection | | | | | | | bypass | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on | | | | | | | malicious ELF leads to code | | | | | | | execution because of... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache | | | | | | | of thread stack and heap | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure | | | | | | | of heap addresses of | | | | | | | pthread_created thread | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: | | | | | | | LD_PREFER_MAP_32BIT_EXEC not | | | | | | | ignored in setuid binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption from | | | | | | | crafted input in cosl, sinl, | | | | | | | sincosl, and tanl... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in | | | | | | | glob() function when expanding | | | | | | | ~user | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the ARMv7 | | | | | | | memcpy function | +------------------+---------------------+----------+ +---------------+--------------------------------------------------------------+ | libc6 | CVE-2020-1751 | MEDIUM | | | glibc: array overflow in | | | | | | | backtrace functions for | | | | | | | powerpc | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: | | | | | | | De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation can | | | | | | | cause excessive CPU and memory | | | | | | | consumption due to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection | | | | | | | bypass | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on | | | | | | | malicious ELF leads to code | | | | | | | execution because of... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache | | | | | | | of thread stack and heap | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure | | | | | | | of heap addresses of | | | | | | | pthread_created thread | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: | | | | | | | LD_PREFER_MAP_32BIT_EXEC not | | | | | | | ignored in setuid binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption from | | | | | | | crafted input in cosl, sinl, | | | | | | | sincosl, and tanl... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in | | | | | | | glob() function when expanding | | | | | | | ~user | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the ARMv7 | | | | | | | memcpy function | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libcurl4 | CVE-2020-8169 | MEDIUM | 7.64.0-4+deb10u1 | | libcurl: partial password leak | | | | | | | over DNS on HTTP redirect | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-8177 | | | | curl: Incorrect argument check | | | | | | | can allow remote servers to | | | | | | | overwrite local files... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | `CURLOPT_CONNECT_ONLY` option | | | | | | | set | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libgcc1 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libgcrypt20 | CVE-2019-12904 | | 1.8.4-5 | | Libgcrypt: physical addresses | | | | | | | being available to other | | | | | | | processes leads to a | | | | | | | flush-and-reload... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2018-6829 | LOW | | | libgcrypt: ElGamal | | | | | | | implementation doesn't | | | | | | | have semantic security | | | | | | | due to incorrectly encoded | | | | | | | plaintexts... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-13627 | | | | libgcrypt: ECDSA timing | | | | | | | attack in the libgcrypt20 | | | | | | | cryptographic library | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libgnutls30 | CVE-2020-24659 | MEDIUM | 3.6.7-4+deb10u5 | | gnutls: Heap buffer | | | | | | | overflow in handshake with | | | | | | | no_renegotiation alert sent | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2011-3389 | LOW | | | HTTPS: block-wise | | | | | | | chosen-plaintext attack | | | | | | | against SSL/TLS (BEAST) | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libgssapi-krb5-2 | CVE-2004-0971 | | 1.17-3 | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libidn2-0 | CVE-2019-12290 | MEDIUM | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 | | | | | | | fails to perform the roundtrip | | | | | | | checks specified in... | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libk5crypto3 | CVE-2004-0971 | LOW | 1.17-3 | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+ + +---------------+--------------------------------------------------------------+ | libkrb5-3 | CVE-2004-0971 | | | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+ + +---------------+--------------------------------------------------------------+ | libkrb5support0 | CVE-2004-0971 | | | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libldap-2.4-2 | CVE-2015-3276 | | 2.4.47+dfsg-3+deb10u2 | | openldap: incorrect | | | | | | | multi-keyword mode | | | | | | | cipherstring parsing | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-14159 | | | | openldap: Privilege escalation | | | | | | | via PID file manipulation | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-17740 | | | | openldap: | | | | | | | contrib/slapd-modules/nops/nops.c | | | | | | | attempts to free stack buffer | | | | | | | allowing remote attackers to | | | | | | | cause... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-15719 | | | | openldap: Certificate | | | | | | | validation incorrectly matches | | | | | | | name against CN-ID | +------------------+---------------------+ + +---------------+--------------------------------------------------------------+ | libldap-common | CVE-2015-3276 | | | | openldap: incorrect | | | | | | | multi-keyword mode | | | | | | | cipherstring parsing | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-14159 | | | | openldap: Privilege escalation | | | | | | | via PID file manipulation | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-17740 | | | | openldap: | | | | | | | contrib/slapd-modules/nops/nops.c | | | | | | | attempts to free stack buffer | | | | | | | allowing remote attackers to | | | | | | | cause... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-15719 | | | | openldap: Certificate | | | | | | | validation incorrectly matches | | | | | | | name against CN-ID | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | liblz4-1 | CVE-2019-17543 | | 1.8.3-1 | | lz4: heap-based buffer | | | | | | | overflow in LZ4_write32 | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libnghttp2-14 | TEMP-0000000-A4EF31 | | 1.36.0-2+deb10u1 | | | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libpcre2-8-0 | CVE-2019-20454 | MEDIUM | 10.32-5 | | pcre: Out of bounds read in | | | | | | | JIT mode when \X is used... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libpcre3 | CVE-2020-14155 | | 2:8.39-12 | | pcre: integer overflow in | | | | | | | libpcre | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2017-11164 | LOW | | | pcre: OP_KETRMAX feature | | | | | | | in the match function in | | | | | | | pcre_exec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-16231 | | | | pcre: self-recursive call in | | | | | | | match() in pcre_exec.c leads | | | | | | | to denial of service... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-7245 | | | | pcre: stack-based | | | | | | | buffer overflow write in | | | | | | | pcre32_copy_substring | + +---------------------+ + +---------------+ + | | CVE-2017-7246 | | | | | | | | | | | | | | | | | | | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libseccomp2 | CVE-2019-9893 | | 2.3.3-4 | | libseccomp: incorrect | | | | | | | generation of syscall filters | | | | | | | in libseccomp | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libssh2-1 | CVE-2019-13115 | MEDIUM | 1.8.0-2.1 | | libssh2: integer overflow in | | | | | | | kex_method_diffie_hellman_group_exchange_sha256_key_exchange | | | | | | | in kex.c leads to out-of-bounds write | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2019-17498 | LOW | | | libssh2: integer overflow in | | | | | | | SSH_MSG_DISCONNECT logic in | | | | | | | packet.c | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libssl1.1 | CVE-2007-6755 | | 1.1.1d-0+deb10u3 | | Dual_EC_DRBG: weak pseudo | | | | | | | random number generator | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-0928 | | | | openssl: RSA authentication | | | | | | | weakness | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1551 | | | | openssl: Integer overflow in | | | | | | | RSAZ modular exponentiation on | | | | | | | x86_64 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1968 | | | | The Raccoon attack exploits a | | | | | | | flaw in the TLS specification | | | | | | | which can... | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libstdc++6 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libsystemd0 | CVE-2019-3843 | | 241-7~deb10u4 | | systemd: services with | | | | | | | DynamicUser can create | | | | | | | SUID/SGID binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-3844 | | | | systemd: services with | | | | | | | DynamicUser can get new | | | | | | | privileges and create SGID | | | | | | | binaries... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security | | | | | | | contexts... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak | | | | | | | in button_open() in | | | | | | | login/logind-button.c when | | | | | | | udev events are received... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libtasn1-6 | CVE-2018-1000654 | | 4.13-3 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libudev1 | CVE-2019-3843 | MEDIUM | 241-7~deb10u4 | | systemd: services with | | | | | | | DynamicUser can create | | | | | | | SUID/SGID binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-3844 | | | | systemd: services with | | | | | | | DynamicUser can get new | | | | | | | privileges and create SGID | | | | | | | binaries... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security | | | | | | | contexts... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak | | | | | | | in button_open() in | | | | | | | login/logind-button.c when | | | | | | | udev events are received... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | login | CVE-2007-5686 | | 1:4.5-1.1 | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user | | | | | | | to drop supplementary | | | | | | | groups potentially allowing | | | | | | | privilege... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users | | | | | | | can obtain root access | | | | | | | because setuid programs are | | | | | | | misconfigured... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0628843-DBAD28 | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | openssl | CVE-2007-6755 | | 1.1.1d-0+deb10u3 | | Dual_EC_DRBG: weak pseudo | | | | | | | random number generator | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-0928 | | | | openssl: RSA authentication | | | | | | | weakness | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1551 | | | | openssl: Integer overflow in | | | | | | | RSAZ modular exponentiation on | | | | | | | x86_64 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1968 | | | | The Raccoon attack exploits a | | | | | | | flaw in the TLS specification | | | | | | | which can... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | passwd | CVE-2007-5686 | | 1:4.5-1.1 | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user | | | | | | | to drop supplementary | | | | | | | groups potentially allowing | | | | | | | privilege... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users | | | | | | | can obtain root access | | | | | | | because setuid programs are | | | | | | | misconfigured... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0628843-DBAD28 | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | perl-base | CVE-2011-4116 | | 5.28.1-6+deb10u1 | | perl: File::Temp insecure | | | | | | | temporary file handling | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | sysv-rc | TEMP-0517018-A83CE6 | | 2.93-8 | | | +------------------+ + + +---------------+--------------------------------------------------------------+ | sysvinit-utils | | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | tar | CVE-2005-2541 | | 1.30+dfsg-6 | | Tar 1.15.1 does not properly | | | | | | | warn the user when extracting | | | | | | | setuid or... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9923 | | | | tar: null-pointer dereference | | | | | | | in pax_decode_header in | | | | | | | sparse.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0290435-0B57B5 | | | | | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ $ trivy --no-progress -f json -o gl-container-scanning-report.json --input /image 2020-09-10T02:37:49.335Z INFO Detecting Debian vulnerabilities... $ echo "This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans" This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans section_end:1599705469:step_script section_start:1599705469:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... gl-container-scanning-report.json: found 1 matching files and directories Uploading artifacts as "container_scanning" to coordinator... ok id=304952 responseStatus=201 Created token=qqVx3dcV section_end:1599705470:upload_artifacts_on_success Job succeeded