Running with gitlab-runner 13.1.0 (6214287e)  on p1-public-apps-runner-gitlab-runner-77cb6b657c-vdcxv 1wxxGLSt section_start:1599702215:prepare_executor Preparing the "kubernetes" executor Using Kubernetes namespace: public-gitlab-runner Using Kubernetes executor with image aquasec/trivy:0.9.0 ... section_end:1599702215:prepare_executor section_start:1599702215:prepare_script Preparing environment Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1907-concurrent-0mnktm to be running, status is Pending Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1907-concurrent-0mnktm to be running, status is Pending Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1907-concurrent-0mnktm to be running, status is Pending Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1907-concurrent-0mnktm to be running, status is Pending Running on runner-1wxxglst-project-1907-concurrent-0mnktm via p1-public-apps-runner-gitlab-runner-77cb6b657c-vdcxv... section_end:1599702227:prepare_script section_start:1599702227:get_sources Getting source from Git repository Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/platform-one/apps/mongodb-sharded/.git/ Created fresh repository. Checking out cf84b4b8 as master... Skipping Git submodules setup section_end:1599702228:get_sources section_start:1599702228:step_script Executing "step_script" stage of the job script $ apk add skopeo fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz (1/26) Installing device-mapper-libs (2.02.186-r0) (2/26) Installing libgpg-error (1.36-r2) (3/26) Installing libassuan (2.5.3-r0) (4/26) Installing libffi (3.2.1-r6) (5/26) Installing libblkid (2.34-r1) (6/26) Installing libmount (2.34-r1) (7/26) Installing pcre (8.43-r0) (8/26) Installing glib (2.62.6-r0) (9/26) Installing ncurses-terminfo-base (6.1_p20200118-r4) (10/26) Installing ncurses-libs (6.1_p20200118-r4) (11/26) Installing libgcrypt (1.8.5-r0) (12/26) Installing libsecret (0.19.1-r0) (13/26) Installing pinentry (1.1.0-r2) Executing pinentry-1.1.0-r2.post-install (14/26) Installing gmp (6.1.2-r1) (15/26) Installing nettle (3.5.1-r0) (16/26) Installing p11-kit (0.23.18.1-r0) (17/26) Installing libtasn1 (4.15.0-r0) (18/26) Installing libunistring (0.9.10-r0) (19/26) Installing gnutls (3.6.15-r0) (20/26) Installing libksba (1.3.5-r0) (21/26) Installing libsasl (2.1.27-r5) (22/26) Installing libldap (2.4.48-r2) (23/26) Installing npth (1.6-r0) (24/26) Installing gnupg (2.2.19-r0) (25/26) Installing gpgme (1.13.1-r1) (26/26) Installing skopeo (0.1.40-r1) Executing busybox-1.31.1-r9.trigger OK: 79 MiB in 64 packages $ skopeo copy --screds $CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD docker://$IMAGE:$CI_COMMIT_SHORT_SHA oci:/image Getting image source signatures Copying blob sha256:522a7372a4aea514c26dd3402b14ff4de654010c3352b252b6e3974c44215d5d Copying config sha256:118498d50c15f89c5b233d7694592fd0953dd1a42aa299ed071db3c421da91c1 Writing manifest to image destination Storing signatures $ trivy --no-progress --input /image 2020-09-10T01:43:51.386Z INFO Need to update DB 2020-09-10T01:43:51.387Z INFO Downloading DB... 2020-09-10T01:43:54.434Z INFO Detecting Debian vulnerabilities... /image (debian 10.5) ==================== Total: 84 (UNKNOWN: 0, LOW: 68, MEDIUM: 16, HIGH: 0, CRITICAL: 0) +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | apt | CVE-2011-3374 | LOW | 1.8.2.1 | | It was found that apt-key | | | | | | | in apt, all versions, do not | | | | | | | correctly... | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is | | | | | | | not equal to its real UID | | | | | | | the... | + +---------------------+ + +---------------+--------------------------------+ | | TEMP-0841856-B18BAF | | | | | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2017-18018 | | | | coreutils: race condition | | | | | | | vulnerability in chown and | | | | | | | chgrp | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | gcc-8-base | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key | | | | | | | Certification Forgeries with | | | | | | | SHA-1 | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | libapt-pkg5.0 | CVE-2011-3374 | | 1.8.2.1 | | It was found that apt-key | | | | | | | in apt, all versions, do not | | | | | | | correctly... | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libc-bin | CVE-2020-1751 | MEDIUM | 2.28-10 | | glibc: array overflow in | | | | | | | backtrace functions for | | | | | | | powerpc | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: | | | | | | | De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation can | | | | | | | cause excessive CPU and memory | | | | | | | consumption due to... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection | | | | | | | bypass | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on | | | | | | | malicious ELF leads to code | | | | | | | execution because of... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache | | | | | | | of thread stack and heap | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure | | | | | | | of heap addresses of | | | | | | | pthread_created thread | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-19126 | | | | glibc: | | | | | | | LD_PREFER_MAP_32BIT_EXEC not | | | | | | | ignored in setuid binaries | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption from | | | | | | | crafted input in cosl, sinl, | | | | | | | sincosl, and tanl... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in | | | | | | | glob() function when expanding | | | | | | | ~user | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the ARMv7 | | | | | | | memcpy function | +----------------+---------------------+----------+ +---------------+--------------------------------+ | libc6 | CVE-2020-1751 | MEDIUM | | | glibc: array overflow in | | | | | | | backtrace functions for | | | | | | | powerpc | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: | | | | | | | De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation can | | | | | | | cause excessive CPU and memory | | | | | | | consumption due to... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection | | | | | | | bypass | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on | | | | | | | malicious ELF leads to code | | | | | | | execution because of... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache | | | | | | | of thread stack and heap | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure | | | | | | | of heap addresses of | | | | | | | pthread_created thread | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-19126 | | | | glibc: | | | | | | | LD_PREFER_MAP_32BIT_EXEC not | | | | | | | ignored in setuid binaries | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption from | | | | | | | crafted input in cosl, sinl, | | | | | | | sincosl, and tanl... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in | | | | | | | glob() function when expanding | | | | | | | ~user | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the ARMv7 | | | | | | | memcpy function | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libgcc1 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | libgcrypt20 | CVE-2019-12904 | | 1.8.4-5 | | Libgcrypt: physical addresses | | | | | | | being available to other | | | | | | | processes leads to a | | | | | | | flush-and-reload... | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2018-6829 | LOW | | | libgcrypt: ElGamal | | | | | | | implementation doesn't | | | | | | | have semantic security | | | | | | | due to incorrectly encoded | | | | | | | plaintexts... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-13627 | | | | libgcrypt: ECDSA timing | | | | | | | attack in the libgcrypt20 | | | | | | | cryptographic library | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libgnutls30 | CVE-2020-24659 | MEDIUM | 3.6.7-4+deb10u5 | | gnutls: Heap buffer | | | | | | | overflow in handshake with | | | | | | | no_renegotiation alert sent | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2011-3389 | LOW | | | HTTPS: block-wise | | | | | | | chosen-plaintext attack | | | | | | | against SSL/TLS (BEAST) | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libidn2-0 | CVE-2019-12290 | MEDIUM | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 | | | | | | | fails to perform the roundtrip | | | | | | | checks specified in... | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | liblz4-1 | CVE-2019-17543 | LOW | 1.8.3-1 | | lz4: heap-based buffer | | | | | | | overflow in LZ4_write32 | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libpcre3 | CVE-2020-14155 | MEDIUM | 2:8.39-12 | | pcre: integer overflow in | | | | | | | libpcre | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2017-11164 | LOW | | | pcre: OP_KETRMAX feature | | | | | | | in the match function in | | | | | | | pcre_exec.c | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2017-16231 | | | | pcre: self-recursive call in | | | | | | | match() in pcre_exec.c leads | | | | | | | to denial of service... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2017-7245 | | | | pcre: stack-based | | | | | | | buffer overflow write in | | | | | | | pcre32_copy_substring | + +---------------------+ + +---------------+ + | | CVE-2017-7246 | | | | | | | | | | | | | | | | | | | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | libseccomp2 | CVE-2019-9893 | | 2.3.3-4 | | libseccomp: incorrect | | | | | | | generation of syscall filters | | | | | | | in libseccomp | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libstdc++6 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | libsystemd0 | CVE-2019-3843 | | 241-7~deb10u4 | | systemd: services with | | | | | | | DynamicUser can create | | | | | | | SUID/SGID binaries | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-3844 | | | | systemd: services with | | | | | | | DynamicUser can get new | | | | | | | privileges and create SGID | | | | | | | binaries... | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security | | | | | | | contexts... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak | | | | | | | in button_open() in | | | | | | | login/logind-button.c when | | | | | | | udev events are received... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | libtasn1-6 | CVE-2018-1000654 | | 4.13-3 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ | libudev1 | CVE-2019-3843 | MEDIUM | 241-7~deb10u4 | | systemd: services with | | | | | | | DynamicUser can create | | | | | | | SUID/SGID binaries | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-3844 | | | | systemd: services with | | | | | | | DynamicUser can get new | | | | | | | privileges and create SGID | | | | | | | binaries... | + +---------------------+----------+ +---------------+--------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security | | | | | | | contexts... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak | | | | | | | in button_open() in | | | | | | | login/logind-button.c when | | | | | | | udev events are received... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | login | CVE-2007-5686 | | 1:4.5-1.1 | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user | | | | | | | to drop supplementary | | | | | | | groups potentially allowing | | | | | | | privilege... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users | | | | | | | can obtain root access | | | | | | | because setuid programs are | | | | | | | misconfigured... | + +---------------------+ + +---------------+--------------------------------+ | | TEMP-0628843-DBAD28 | | | | | +----------------+---------------------+ + +---------------+--------------------------------+ | passwd | CVE-2007-5686 | | | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user | | | | | | | to drop supplementary | | | | | | | groups potentially allowing | | | | | | | privilege... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users | | | | | | | can obtain root access | | | | | | | because setuid programs are | | | | | | | misconfigured... | + +---------------------+ + +---------------+--------------------------------+ | | TEMP-0628843-DBAD28 | | | | | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | perl-base | CVE-2011-4116 | | 5.28.1-6+deb10u1 | | perl: File::Temp insecure | | | | | | | temporary file handling | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | sysv-rc | TEMP-0517018-A83CE6 | | 2.93-8 | | | +----------------+ + + +---------------+--------------------------------+ | sysvinit-utils | | | | | | +----------------+---------------------+ +-------------------+---------------+--------------------------------+ | tar | CVE-2005-2541 | | 1.30+dfsg-6 | | Tar 1.15.1 does not properly | | | | | | | warn the user when extracting | | | | | | | setuid or... | + +---------------------+ + +---------------+--------------------------------+ | | CVE-2019-9923 | | | | tar: null-pointer dereference | | | | | | | in pax_decode_header in | | | | | | | sparse.c | + +---------------------+ + +---------------+--------------------------------+ | | TEMP-0290435-0B57B5 | | | | | +----------------+---------------------+----------+-------------------+---------------+--------------------------------+ $ trivy --no-progress -f json -o gl-container-scanning-report.json --input /image 2020-09-10T01:43:54.469Z INFO Detecting Debian vulnerabilities... $ echo "This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans" This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans section_end:1599702234:step_script section_start:1599702234:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... gl-container-scanning-report.json: found 1 matching files and directories Uploading artifacts as "container_scanning" to coordinator... ok id=304889 responseStatus=201 Created token=8bjH3NQG section_end:1599702235:upload_artifacts_on_success Job succeeded