Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix issue 380 #381

Merged
merged 3 commits into from
Feb 20, 2024
Merged

Fix issue 380 #381

merged 3 commits into from
Feb 20, 2024

Conversation

mpoindexter
Copy link
Contributor

Fix for #380

DmitriyLewen
DmitriyLewen reviewed Feb 13, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mpoindexter Hello!
Thanks for your work!

LGTM.
I left 1 small comment.

Regards, Dmitriy

pkg/vulnsrc/debian/debian_test.go Show resolved Hide resolved
DmitriyLewen
DmitriyLewen approved these changes Feb 14, 2024
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mpoindexter Thanks for your work!

@knqyf263 I approved this PR. Take a look, when you have time.

knqyf263
knqyf263 reviewed Feb 14, 2024
View reviewed changes
pkg/vulnsrc/debian/debian_test.go Outdated
"gnutls28",
},
Value: &types.Advisory{
FixedVersion: "3.7.1-5+deb11u5",
Copy link
Collaborator

@knqyf263 knqyf263 Feb 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we remove a fixed version here? "Fixed version" in Trivy means a patch is available. This case is very tricky. There is a fixed version, but a patch is not yet distributed. I understand your approach is technically correct, but I'm concerned it would confuse existing users.

@Zircon99
Copy link

Hi, do we have an ETA for when this will be ready? We have a pipeline dependent on this currently.

Thanks

@knqyf263
Copy link
Collaborator

@mpoindexter Do you have time? If not, we'll take it over.

@mpoindexter
Copy link
Contributor Author

Updated the PR to set the fix version to blank as requested

@knqyf263 knqyf263 merged commit 88dc646 into aquasecurity:main Feb 20, 2024
2 checks passed
@knqyf263
Copy link
Collaborator

Thanks for your contribution!

@Zircon99
Copy link

Hi there. I am new to this - could you kindly assist with the issue I am having?

On 7 February 2024, we ran our pipeline, with docker installing this version via apt-get - "libgnutls30=3.7.1-5+deb11u3". It worked fine.

On 15 February 2024 we ran same pipeline with same settings, and it failed with exit code 100. I presume now, that this means that the version tag "3.7.1-5+deb11u3" does not exist anymore - is that correct?

I consequently used this thread to determine what would be the correct version tag to use: https://avd.aquasec.com/nvd/2024/cve-2024-0567/

I tried "libgnutls30=3.7.1-5+deb11u4" - it does appear to install this version, however Trivy flags a vulnerability.

I then tried "libgnutls30=3.7.1-5+deb11u5" - exit code 100 - it does not appear that this version currently exists? In this context I am somewhat new to this - could you kindly explain if/when this will be ready for us, and will effectively address the above vulnerability?

Finally, I do see mention made of libgnutls28 instead of 30 in various threads and instances. Is it correct for me to use "libgnutls30=3.7.1-5+deb11u5" or "libgnutls28=3.7.1-5+deb11u5" - note the difference 28/30?

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

@knqyf263 knqyf263 knqyf263 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mpoindexter @Zircon99 @knqyf263 @DmitriyLewen