Skip to content

[REQ] support for app-level patching #147

New issue
New issue
Open
#1091
#1090
Open
[REQ] support for app-level patching#147
#1091
#1090
Labels
enhancementNew feature or requestneeds-designThis issue requires a design to be finalizedrequestSpecifically requested by a user or customer
Milestone
v0.12.0
@sherifkayad

Description

@sherifkayad
sherifkayad
opened on May 12, 2023

What is your question?

Hey there 👋 .. First of all thanks for this great project! .. Just was curious, if there's a plan to also (maybe conditionally) support patching application specific dependencies and not only OS-level dependencies.

Some background / example context: A Spring Boot App that's running on eclipse-temurin:17-jre-alpine might have the list of vulnerabilties below:

myregistry.com/some-app:latest (alpine 3.17.3)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-1255 │ MEDIUM   │ 3.0.8-r3          │ 3.0.8-r4      │ Input buffer over-read in AES-XTS implementation on 64 bit │
│            │               │          │                   │               │ ARM                                                        │
│            │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-1255                  │
├────────────┤               │          │                   │               │                                                            │
│ libssl3    │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
│            │               │          │                   │               │                                                            │
└────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
2023-05-12T17:08:53.318+0200    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Java (jar)

Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 2)

┌──────────────────────────────────────────────────┬──────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                     Library                      │  Vulnerability   │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────────────────────────────────────┼──────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web (application.jar) │ CVE-2016-1000027 │ CRITICAL │ 5.3.27            │ 6.0.0         │ spring: HttpInvokerServiceExporter readRemoteInvocation      │
│                                                  │                  │          │                   │               │ method untrusted java deserialization                        │
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2016-1000027                 │
├──────────────────────────────────────────────────┼──────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (application.jar)             │ CVE-2022-1471    │          │ 1.30              │ 2.0           │ Constructor Deserialization Remote Code Execution            │
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-1471                    │
│                                                  ├──────────────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                                  │ CVE-2022-25857   │ HIGH     │                   │ 1.31          │ Denial of Service due to missing nested depth limitation for │
│                                                  │                  │          │                   │               │ collections                                                  │
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25857                   │
│                                                  ├──────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────────┤
│                                                  │ CVE-2022-38749   │ MEDIUM   │                   │               │ Uncaught exception in                                        │
│                                                  │                  │          │                   │               │ org.yaml.snakeyaml.composer.Composer.composeSequenceNode     │
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-38749                   │
│                                                  ├──────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│                                                  │ CVE-2022-38750   │          │                   │               │ Uncaught exception in                                        │
│                                                  │                  │          │                   │               │ org.yaml.snakeyaml.constructor.BaseConstructor.constructObj- │
│                                                  │                  │          │                   │               │ ect                                                          │
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-38750                   │
│                                                  ├──────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│                                                  │ CVE-2022-38751   │          │                   │               │ Uncaught exception in                                        │
│                                                  │                  │          │                   │               │ java.base/java.util.regex.Pattern$Ques.match                 │       
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-38751                   │       
│                                                  ├──────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤       
│                                                  │ CVE-2022-38752   │          │                   │ 1.32          │ Uncaught exception in java.base/java.util.ArrayList.hashCode │       
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-38752                   │       
│                                                  ├──────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤       
│                                                  │ CVE-2022-41854   │          │                   │               │ DoS via stack overflow                                       │       
│                                                  │                  │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41854                   │       
└──────────────────────────────────────────────────┴──────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

With Copa, I am so glad that I can get libcrypto3 & libssl3 patched and hence get no base image vulnerabilties anymore. However, what about the lovely snakeyaml in my application? 😄 .. Despite using the latest (or maybe I could say fairly new) version of the Spring Boot framework, the upstream project didn't update the vulnerable library .. soooo

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestneeds-designThis issue requires a design to be finalizedrequestSpecifically requested by a user or customer

    Type

    No type

    Projects

    Copacetic Workboard

    Status

    🏗 In progress

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions