Running with gitlab-runner 13.1.0 (6214287e)  on p1-public-apps-runner-gitlab-runner-77cb6b657c-vdcxv 1wxxGLSt section_start:1599702485:prepare_executor Preparing the "kubernetes" executor Using Kubernetes namespace: public-gitlab-runner Using Kubernetes executor with image aquasec/trivy:0.9.0 ... section_end:1599702485:prepare_executor section_start:1599702485:prepare_script Preparing environment Waiting for pod public-gitlab-runner/runner-1wxxglst-project-1907-concurrent-0pphcf to be running, status is Pending Running on runner-1wxxglst-project-1907-concurrent-0pphcf via p1-public-apps-runner-gitlab-runner-77cb6b657c-vdcxv... section_end:1599702488:prepare_script section_start:1599702488:get_sources Getting source from Git repository Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/platform-one/apps/mongodb-sharded/.git/ Created fresh repository. Checking out 054b5a1a as 4.2.9-debian-10-r0... Skipping Git submodules setup section_end:1599702489:get_sources section_start:1599702489:step_script Executing "step_script" stage of the job script $ apk add skopeo fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz (1/26) Installing device-mapper-libs (2.02.186-r0) (2/26) Installing libgpg-error (1.36-r2) (3/26) Installing libassuan (2.5.3-r0) (4/26) Installing libffi (3.2.1-r6) (5/26) Installing libblkid (2.34-r1) (6/26) Installing libmount (2.34-r1) (7/26) Installing pcre (8.43-r0) (8/26) Installing glib (2.62.6-r0) (9/26) Installing ncurses-terminfo-base (6.1_p20200118-r4) (10/26) Installing ncurses-libs (6.1_p20200118-r4) (11/26) Installing libgcrypt (1.8.5-r0) (12/26) Installing libsecret (0.19.1-r0) (13/26) Installing pinentry (1.1.0-r2) Executing pinentry-1.1.0-r2.post-install (14/26) Installing gmp (6.1.2-r1) (15/26) Installing nettle (3.5.1-r0) (16/26) Installing p11-kit (0.23.18.1-r0) (17/26) Installing libtasn1 (4.15.0-r0) (18/26) Installing libunistring (0.9.10-r0) (19/26) Installing gnutls (3.6.15-r0) (20/26) Installing libksba (1.3.5-r0) (21/26) Installing libsasl (2.1.27-r5) (22/26) Installing libldap (2.4.48-r2) (23/26) Installing npth (1.6-r0) (24/26) Installing gnupg (2.2.19-r0) (25/26) Installing gpgme (1.13.1-r1) (26/26) Installing skopeo (0.1.40-r1) Executing busybox-1.31.1-r9.trigger OK: 79 MiB in 64 packages $ skopeo copy --screds $CI_REGISTRY_USER:$CI_REGISTRY_PASSWORD docker://$IMAGE:$CI_COMMIT_SHORT_SHA oci:/image Getting image source signatures Copying blob sha256:522a7372a4aea514c26dd3402b14ff4de654010c3352b252b6e3974c44215d5d Copying blob sha256:196aa05947cd59cf100149da32db174329cde0ca3fa000042880e1e997e1889a Copying blob sha256:224846d975780406a7a709a51934617ccb36ec1b754cb9114fed16431cd29cd0 Copying blob sha256:7d454e325acb4cfb5b4e0ea9314824a2323645db3aff8cc790a0e0429aff4fee Copying blob sha256:828f509039621c754534b640e1bce0d089fc9b8aa1a6845b33c6dc2eb6b7a436 Copying blob sha256:585926eda0983ff0664e1f33976dd5c7ac45c85db13210c415099d4c83ef6840 Copying blob sha256:ebf1b2fbcba70dbc01fe43c4e2e9aa95d16feff9b99a9570df6a30a4e6d078f0 Copying blob sha256:8656945817ace15ff57853d6e8b7a13c7c7649e833fabda1106708a76d267923 Copying blob sha256:5ab65bc09ad29c21a61d4dc56d46a5196d445f14209838b55e7ed88ce031372e Copying blob sha256:37f4fa9c56424c0e47991a50e48051b52c40fd50cb9cbd52f657ae0a6b4146b1 Copying blob sha256:a818d91a87841dc1773b0fee218973d4875f545d35f8a8ab08fee795d54b6045 Copying blob sha256:8186b2a02756a785b60aa02422acf7551f0438995d5eda253aaf52896f1e1a5b Copying blob sha256:faa9ae79943504e4d5af290420be55a5b3ef46dd75cff2c9d3bc315f96ac6b73 Copying blob sha256:c233536c65f81609e2bc77f5f62e97c5c45447c3c0a84f820e4fccc1b22eeb7d Copying blob sha256:cbaac2c711bc55d30dc0cdfdf3569c2d3095ec634f011a05531065a4faea6a02 Copying config sha256:719119e76048a6218fd51acf94c64ae5f5d918709721bd0ba759134a00e12693 Writing manifest to image destination Storing signatures $ trivy --no-progress --input /image 2020-09-10T01:48:15.850Z INFO Need to update DB 2020-09-10T01:48:15.850Z INFO Downloading DB... 2020-09-10T01:48:21.227Z INFO Detecting Debian vulnerabilities... /image (debian 10.5) ==================== Total: 118 (UNKNOWN: 0, LOW: 97, MEDIUM: 21, HIGH: 0, CRITICAL: 0) +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | apt | CVE-2011-3374 | LOW | 1.8.2.1 | | It was found that apt-key | | | | | | | in apt, all versions, do not | | | | | | | correctly... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | bash | CVE-2019-18276 | | 5.0-4 | | bash: when effective UID is | | | | | | | not equal to its real UID | | | | | | | the... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0841856-B18BAF | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | coreutils | CVE-2016-2781 | | 8.30-3 | | coreutils: Non-privileged | | | | | | | session can escape to the | | | | | | | parent session in chroot | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-18018 | | | | coreutils: race condition | | | | | | | vulnerability in chown and | | | | | | | chgrp | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | curl | CVE-2020-8169 | MEDIUM | 7.64.0-4+deb10u1 | | libcurl: partial password leak | | | | | | | over DNS on HTTP redirect | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-8177 | | | | curl: Incorrect argument check | | | | | | | can allow remote servers to | | | | | | | overwrite local files... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | `CURLOPT_CONNECT_ONLY` option | | | | | | | set | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | gcc-8-base | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | gpgv | CVE-2019-14855 | LOW | 2.2.12-1+deb10u1 | | gnupg2: OpenPGP Key | | | | | | | Certification Forgeries with | | | | | | | SHA-1 | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libapt-pkg5.0 | CVE-2011-3374 | | 1.8.2.1 | | It was found that apt-key | | | | | | | in apt, all versions, do not | | | | | | | correctly... | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libc-bin | CVE-2020-1751 | MEDIUM | 2.28-10 | | glibc: array overflow in | | | | | | | backtrace functions for | | | | | | | powerpc | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: | | | | | | | De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation can | | | | | | | cause excessive CPU and memory | | | | | | | consumption due to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection | | | | | | | bypass | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on | | | | | | | malicious ELF leads to code | | | | | | | execution because of... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache | | | | | | | of thread stack and heap | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure | | | | | | | of heap addresses of | | | | | | | pthread_created thread | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: | | | | | | | LD_PREFER_MAP_32BIT_EXEC not | | | | | | | ignored in setuid binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption from | | | | | | | crafted input in cosl, sinl, | | | | | | | sincosl, and tanl... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in | | | | | | | glob() function when expanding | | | | | | | ~user | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the ARMv7 | | | | | | | memcpy function | +------------------+---------------------+----------+ +---------------+--------------------------------------------------------------+ | libc6 | CVE-2020-1751 | MEDIUM | | | glibc: array overflow in | | | | | | | backtrace functions for | | | | | | | powerpc | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2010-4051 | LOW | | | CVE-2010-4052 glibc: | | | | | | | De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4052 | | | | CVE-2010-4051 CVE-2010-4052 | | | | | | | glibc: De-recursivise regular | | | | | | | expression engine | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-4756 | | | | glibc: glob implementation can | | | | | | | cause excessive CPU and memory | | | | | | | consumption due to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2016-10228 | | | | glibc: iconv program can | | | | | | | hang when invoked with the -c | | | | | | | option | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-20796 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010022 | | | | glibc: stack guard protection | | | | | | | bypass | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010023 | | | | glibc: running ldd on | | | | | | | malicious ELF leads to code | | | | | | | execution because of... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010024 | | | | glibc: ASLR bypass using cache | | | | | | | of thread stack and heap | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1010025 | | | | glibc: information disclosure | | | | | | | of heap addresses of | | | | | | | pthread_created thread | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19126 | | | | glibc: | | | | | | | LD_PREFER_MAP_32BIT_EXEC not | | | | | | | ignored in setuid binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9192 | | | | glibc: uncontrolled | | | | | | | recursion in function | | | | | | | check_dst_limits_calc_pos_1 in | | | | | | | posix/regexec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-10029 | | | | glibc: stack corruption from | | | | | | | crafted input in cosl, sinl, | | | | | | | sincosl, and tanl... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1752 | | | | glibc: use-after-free in | | | | | | | glob() function when expanding | | | | | | | ~user | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-6096 | | | | glibc: signed comparison | | | | | | | vulnerability in the ARMv7 | | | | | | | memcpy function | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libcurl4 | CVE-2020-8169 | MEDIUM | 7.64.0-4+deb10u1 | | libcurl: partial password leak | | | | | | | over DNS on HTTP redirect | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-8177 | | | | curl: Incorrect argument check | | | | | | | can allow remote servers to | | | | | | | overwrite local files... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2020-8231 | LOW | | | curl: Expired pointer | | | | | | | dereference via multi API with | | | | | | | `CURLOPT_CONNECT_ONLY` option | | | | | | | set | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libgcc1 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libgcrypt20 | CVE-2019-12904 | | 1.8.4-5 | | Libgcrypt: physical addresses | | | | | | | being available to other | | | | | | | processes leads to a | | | | | | | flush-and-reload... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2018-6829 | LOW | | | libgcrypt: ElGamal | | | | | | | implementation doesn't | | | | | | | have semantic security | | | | | | | due to incorrectly encoded | | | | | | | plaintexts... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-13627 | | | | libgcrypt: ECDSA timing | | | | | | | attack in the libgcrypt20 | | | | | | | cryptographic library | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libgnutls30 | CVE-2020-24659 | MEDIUM | 3.6.7-4+deb10u5 | | gnutls: Heap buffer | | | | | | | overflow in handshake with | | | | | | | no_renegotiation alert sent | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2011-3389 | LOW | | | HTTPS: block-wise | | | | | | | chosen-plaintext attack | | | | | | | against SSL/TLS (BEAST) | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libgssapi-krb5-2 | CVE-2004-0971 | | 1.17-3 | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libidn2-0 | CVE-2019-12290 | MEDIUM | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 | | | | | | | fails to perform the roundtrip | | | | | | | checks specified in... | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libk5crypto3 | CVE-2004-0971 | LOW | 1.17-3 | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+ + +---------------+--------------------------------------------------------------+ | libkrb5-3 | CVE-2004-0971 | | | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+ + +---------------+--------------------------------------------------------------+ | libkrb5support0 | CVE-2004-0971 | | | | security flaw | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-5709 | | | | krb5: integer overflow | | | | | | | in dbentry->n_key_data in | | | | | | | kadmin/dbutil/dump.c | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libldap-2.4-2 | CVE-2015-3276 | | 2.4.47+dfsg-3+deb10u2 | | openldap: incorrect | | | | | | | multi-keyword mode | | | | | | | cipherstring parsing | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-14159 | | | | openldap: Privilege escalation | | | | | | | via PID file manipulation | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-17740 | | | | openldap: | | | | | | | contrib/slapd-modules/nops/nops.c | | | | | | | attempts to free stack buffer | | | | | | | allowing remote attackers to | | | | | | | cause... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-15719 | | | | openldap: Certificate | | | | | | | validation incorrectly matches | | | | | | | name against CN-ID | +------------------+---------------------+ + +---------------+--------------------------------------------------------------+ | libldap-common | CVE-2015-3276 | | | | openldap: incorrect | | | | | | | multi-keyword mode | | | | | | | cipherstring parsing | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-14159 | | | | openldap: Privilege escalation | | | | | | | via PID file manipulation | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-17740 | | | | openldap: | | | | | | | contrib/slapd-modules/nops/nops.c | | | | | | | attempts to free stack buffer | | | | | | | allowing remote attackers to | | | | | | | cause... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-15719 | | | | openldap: Certificate | | | | | | | validation incorrectly matches | | | | | | | name against CN-ID | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | liblz4-1 | CVE-2019-17543 | | 1.8.3-1 | | lz4: heap-based buffer | | | | | | | overflow in LZ4_write32 | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libnghttp2-14 | TEMP-0000000-A4EF31 | | 1.36.0-2+deb10u1 | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libpcap0.8 | CVE-2019-15165 | | 1.8.1-6 | | libpcap: Resource exhaustion | | | | | | | while PHB header length | | | | | | | validation | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libpcre3 | CVE-2020-14155 | MEDIUM | 2:8.39-12 | | pcre: integer overflow in | | | | | | | libpcre | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2017-11164 | LOW | | | pcre: OP_KETRMAX feature | | | | | | | in the match function in | | | | | | | pcre_exec.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-16231 | | | | pcre: self-recursive call in | | | | | | | match() in pcre_exec.c leads | | | | | | | to denial of service... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2017-7245 | | | | pcre: stack-based | | | | | | | buffer overflow write in | | | | | | | pcre32_copy_substring | + +---------------------+ + +---------------+ + | | CVE-2017-7246 | | | | | | | | | | | | | | | | | | | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-20838 | | | | pcre: buffer over-read in JIT | | | | | | | when UTF is disabled | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libseccomp2 | CVE-2019-9893 | | 2.3.3-4 | | libseccomp: incorrect | | | | | | | generation of syscall filters | | | | | | | in libseccomp | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libssh2-1 | CVE-2019-13115 | MEDIUM | 1.8.0-2.1 | | libssh2: integer overflow in | | | | | | | kex_method_diffie_hellman_group_exchange_sha256_key_exchange | | | | | | | in kex.c leads to out-of-bounds write | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2019-17498 | LOW | | | libssh2: integer overflow in | | | | | | | SSH_MSG_DISCONNECT logic in | | | | | | | packet.c | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libssl1.1 | CVE-2007-6755 | | 1.1.1d-0+deb10u3 | | Dual_EC_DRBG: weak pseudo | | | | | | | random number generator | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-0928 | | | | openssl: RSA authentication | | | | | | | weakness | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1551 | | | | openssl: Integer overflow in | | | | | | | RSAZ modular exponentiation on | | | | | | | x86_64 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1968 | | | | The Raccoon attack exploits a | | | | | | | flaw in the TLS specification | | | | | | | which can... | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libstdc++6 | CVE-2018-12886 | MEDIUM | 8.3.0-6 | | gcc: spilling of stack | | | | | | | protection address in | | | | | | | cfgexpand.c and function.c | | | | | | | leads to... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG | | | | | | | intrinsic produces repeated | | | | | | | output | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libsystemd0 | CVE-2019-3843 | | 241-7~deb10u4 | | systemd: services with | | | | | | | DynamicUser can create | | | | | | | SUID/SGID binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-3844 | | | | systemd: services with | | | | | | | DynamicUser can get new | | | | | | | privileges and create SGID | | | | | | | binaries... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security | | | | | | | contexts... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak | | | | | | | in button_open() in | | | | | | | login/logind-button.c when | | | | | | | udev events are received... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | libtasn1-6 | CVE-2018-1000654 | | 4.13-3 | | libtasn1: Infinite loop in | | | | | | | _asn1_expand_object_id(ptree) | | | | | | | leads to memory exhaustion | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ | libudev1 | CVE-2019-3843 | MEDIUM | 241-7~deb10u4 | | systemd: services with | | | | | | | DynamicUser can create | | | | | | | SUID/SGID binaries | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-3844 | | | | systemd: services with | | | | | | | DynamicUser can get new | | | | | | | privileges and create SGID | | | | | | | binaries... | + +---------------------+----------+ +---------------+--------------------------------------------------------------+ | | CVE-2013-4392 | LOW | | | systemd: TOCTOU race condition | | | | | | | when updating file permissions | | | | | | | and SELinux security | | | | | | | contexts... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-20386 | | | | systemd: memory leak | | | | | | | in button_open() in | | | | | | | login/logind-button.c when | | | | | | | udev events are received... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-13776 | | | | systemd: mishandles numerical | | | | | | | usernames beginning with | | | | | | | decimal digits or 0x followed | | | | | | | by... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | login | CVE-2007-5686 | | 1:4.5-1.1 | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user | | | | | | | to drop supplementary | | | | | | | groups potentially allowing | | | | | | | privilege... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users | | | | | | | can obtain root access | | | | | | | because setuid programs are | | | | | | | misconfigured... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0628843-DBAD28 | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | openssl | CVE-2007-6755 | | 1.1.1d-0+deb10u3 | | Dual_EC_DRBG: weak pseudo | | | | | | | random number generator | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2010-0928 | | | | openssl: RSA authentication | | | | | | | weakness | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-1551 | | | | openssl: Integer overflow in | | | | | | | RSAZ modular exponentiation on | | | | | | | x86_64 | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2020-1968 | | | | The Raccoon attack exploits a | | | | | | | flaw in the TLS specification | | | | | | | which can... | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | passwd | CVE-2007-5686 | | 1:4.5-1.1 | | initscripts in rPath Linux 1 | | | | | | | sets insecure permissions for | | | | | | | the /var/log/btmp file,... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2013-4235 | | | | shadow-utils: TOCTOU race | | | | | | | conditions by copying and | | | | | | | removing directory trees | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2018-7169 | | | | shadow-utils: newgidmap | | | | | | | allows unprivileged user | | | | | | | to drop supplementary | | | | | | | groups potentially allowing | | | | | | | privilege... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-19882 | | | | shadow-utils: local users | | | | | | | can obtain root access | | | | | | | because setuid programs are | | | | | | | misconfigured... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0628843-DBAD28 | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | perl-base | CVE-2011-4116 | | 5.28.1-6+deb10u1 | | perl: File::Temp insecure | | | | | | | temporary file handling | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | sysv-rc | TEMP-0517018-A83CE6 | | 2.93-8 | | | +------------------+ + + +---------------+--------------------------------------------------------------+ | sysvinit-utils | | | | | | +------------------+---------------------+ +-----------------------+---------------+--------------------------------------------------------------+ | tar | CVE-2005-2541 | | 1.30+dfsg-6 | | Tar 1.15.1 does not properly | | | | | | | warn the user when extracting | | | | | | | setuid or... | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | CVE-2019-9923 | | | | tar: null-pointer dereference | | | | | | | in pax_decode_header in | | | | | | | sparse.c | + +---------------------+ + +---------------+--------------------------------------------------------------+ | | TEMP-0290435-0B57B5 | | | | | +------------------+---------------------+----------+-----------------------+---------------+--------------------------------------------------------------+ $ trivy --no-progress -f json -o gl-container-scanning-report.json --input /image 2020-09-10T01:48:21.279Z INFO Detecting Debian vulnerabilities... $ echo "This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans" This scan is currently only implemented for awareness, no pipeline actions are taken as a result of the scans section_end:1599702501:step_script section_start:1599702501:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... gl-container-scanning-report.json: found 1 matching files and directories Uploading artifacts as "container_scanning" to coordinator... ok id=304893 responseStatus=201 Created token=BXd_agpR section_end:1599702502:upload_artifacts_on_success Job succeeded