False positive: CVE-2024-1233, CVE-2023-6263, CVE-2024-5971, CVE-2024-7885 on jar file

[sekveaja]

Description

We have a custom container that include a jar file where it contains libraries of RedHat Jboss 7.4.19 e.g.
jboss-client-7.4.19.jar

When running the scan, we get reported of these CVEs: CVE-2024-1233, CVE-2023-6236, CVE-2024-5971, CVE-2024-7885
However, these issues are fixed according to Red Hat Security Advisory (RHSA):
CVE-2024-1233 is fixed in EAP 7.4.17 as per https://access.redhat.com/articles/7063150
CVE-2023-6236 not affected for JBOSS EAP 7 reference https://access.redhat.com/security/cve/CVE-2023-6236
CVE-2024-5971 is fixed in EAP 7.4.18 as per https://access.redhat.com/articles/7073034
CVE-2024-7885 is fixed in EAP 7.4.19 as per https://access.redhat.com/articles/7081937

Note: jboss-client-7.4.19.jar file was included in one of a customed rpm.

Desired Behavior

Since all these CVE has been already fixed from current and previous version of Red Hat JBoss EAP 7.4.x.
We expect the tool not to report it.
But it is not the case.

Actual Behavior

In a normal behavior, if we install Jboss EAP 7.4.19 packages via package manager rpm, yum,....
I believe, Trivy would have reference to the backport fixed from OS provider and will not report these CVE.

But in this case, libraries are in a JAR file.
Package (rpm) that contain this JAR file is a customed rpm which is not RedHat Jboss naming and release convention.
However, Trivy is able to see which library in the JAR file is potentially affected, since it reports the specific library.
i.e

      "VulnerabilityID": "CVE-2024-1233",
      "PkgName": "org.wildfly.security:wildfly-elytron-realm-token",
      "PkgPath": "<custom_path>/jms/lib/jboss-client-7.4.19.jar",
      "PkgIdentifier": {
        "PURL": "pkg:maven/org.wildfly.security/[email protected]",
        "UID": "65101cb8fbd00059"
      },
      "InstalledVersion": "1.15.23.Final-redhat-00001",
      "Status": "affected",

It is good to able to pinpoint the issue in the Jar file. But, it seems to miss the backport context from the OS provider.
If it takes only NVD and GHSA input, it will always generate CVE no matter backport has done in earlier version.

Q1: Can you please confirm, if Trivy support backport verification when libraries are in a jar file, zip file?

Q2: What is the suggestion to eliminate these false positive?

Reproduction Steps

The above CVEs are related to different library.
But let's take one example as it is all related to the same issue.

According to  RHSA CVE-2024-1233
Patch for this CVE is applied from version eap7-wildfly-elytron-1.15.23-2.Final_redhat_00001.1.el7eap.noarch.rpm

See with this link: https://access.redhat.com/errata/RHSA-2024:3559

=== NOTE: RedHat Jboss EAP is commercial product ====

1)  Get the RPM and extract the content 
    eap7-wildfly-elytron-1.15.23-2.Final_redhat_00001.1.el7eap.noarch.rpm

2)  Create a jar that include contents from step 1.

3)  Create a custom package that include jar in step 2

4)  Create an image that install custom rpm in step 3

5)  Test Trivy

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

{
          "VulnerabilityID": "CVE-2024-1233",
          "PkgName": "org.wildfly.security:wildfly-elytron-realm-token",
          "PkgPath": "<Custom_path>/jms/lib/jboss-client-7.4.19.jar",
          "PkgIdentifier": {
            "PURL": "pkg:maven/org.wildfly.security/[email protected]",
            "UID": "65101cb8fbd00059"
          },
          "InstalledVersion": "1.15.23.Final-redhat-00001",
          "Status": "affected",
          "Layer": {
            "DiffID": "sha256:05bb3852c53abd74aeffad15460b10da55b40340ed9fa27dbc3bf6a2f41339fa"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-1233",
          "DataSource": {https://github.com/wildfly-security/wildfly-elytron
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Maven",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
          },
          "Title": "EAP: wildfly-elytron has a SSRF security issue",
          "Description": "A flaw was found in` JwtValidator.resolvePublicKey` in JBoss EAP, where the validator checks jku and sends a HTTP request. During this process, no whitelisting or other filtering behavior is performed on the destination URL address, which may result in a server-side request forgery (SSRF) vulnerability.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-918"
          ],
          },
          "References": [
            "https://access.redhat.com/errata/RHSA-2024:3559", 
            "https://access.redhat.com/errata/RHSA-2024:3560",
            "https://access.redhat.com/errata/RHSA-2024:3561",
            "https://access.redhat.com/errata/RHSA-2024:3563",
            "https://access.redhat.com/errata/RHSA-2024:3580",
            "https://access.redhat.com/errata/RHSA-2024:3581",
            "https://access.redhat.com/errata/RHSA-2024:3583",
            "https://access.redhat.com/security/cve/CVE-2024-1233",
            "https://bugzilla.redhat.com/show_bug.cgi?id=2262849",
            "https://github.com/advisories/GHSA-v4mm-q8fv-r2w5",
            "https://github.com/wildfly-security/wildfly-elytron",
            "https://github.com/wildfly/wildfly/commit/aa151a00d75d6dbc4a1bf1b68d58b9de3087bb62",            
   "https://github.com/wildfly/wildfly/pull/17812/commits/0c02350bc0d84287bed46e7c32f90b36e50d3523",
            "https://issues.redhat.com/browse/WFLY-19226",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-1233",
            "https://www.cve.org/CVERecord?id=CVE-2024-1233"

Operating System

Red Hat 8.7

Version

Version: 0.59.1

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @sekveaja
Thanks for your report!

If package contains jar file and installed from rpm - Trivy skips this jar file - https://trivy.dev/latest/docs/scanner/vulnerability/#handling-software-installed-via-os-packages

But if jar file doesn't relate with rpm package - Trivy checks this file as regular jar file.

Q1: Can you please confirm, if Trivy support backport verification when libraries are in a jar file, zip file?

Trivy doesn't support that.

Q2: What is the suggestion to eliminate these false positive?

You can use one (or multiple) filtering options - https://trivy.dev/latest/docs/configuration/filtering/
I think that VEX will be good for you.

[sekveaja]

@DmitriyLewen

Thank you to confirm that Trivy does not support backported verification inside the Jar file.

When you say:
If package contains jar file and installed from rpm - Trivy skips this jar file -

It is our case, we have custom rpm that has jar and the rpm was install by package manager.
The observed behavior, Trivy is not really skipping the jar.
As you see here in the debug output

      "VulnerabilityID": "CVE-2024-1233",
      "PkgName": "org.wildfly.security:wildfly-elytron-realm-token",
      "PkgPath": "<Custom_path>/jms/lib/jboss-client-7.4.19.jar",
      "PkgIdentifier": {
        "PURL": "pkg:maven/org.wildfly.security/[email protected]",

The pkgName org.wildfly.security:wildfly-elytron-realm-token and PURL has information in the jboss-client-7.4.19.jar
If we look inside the jar file:
$ find . | grep realm-token
./META-INF/maven/org.wildfly.security/wildfly-elytron-realm-token
./META-INF/maven/org.wildfly.security/wildfly-elytron-realm-token/pom.xml
./META-INF/maven/org.wildfly.security/wildfly-elytron-realm-token/pom.properties

 $ cat ./META-INF/maven/org.wildfly.security/wildfly-elytron-realm-token/pom.properties
  #Created by Apache Maven 3.3.9
  groupId=org.wildfly.security
  artifactId=wildfly-elytron-realm-token
  version=1.15.23.Final-redhat-00001

It looks like, it is scanning and find CVE by verify version against the upstream advisories.
Therefore, it is not skipping, that is why I confuse, when you said: Trivy skips this jar file

From the link that you send:
https://trivy.dev/latest/docs/scanner/vulnerability/#handling-software-installed-via-os-packages
It said:
if a JAR file is present in a container image, if it was installed via an OS package manager (e.g., apt), Trivy will not analyze the
JAR file itself and use upstream security advisories.

Can you please explain this statement also?
Trivy will not analyze the JAR file itself and use upstream security advisories.

Is it the behavior that I observed above?

Unfortunately, the example given from the link above is PKG-INFO, it is understood for that example as it i related to Python package.

Thank you so much in advance!

[DmitriyLewen]

rpm package should contain this jar file.
you can check this with rpm command.
e.g.:

[root@f070fcfb98d1 /]# rpm -qa | grep bash
bash-5.1.8-9.el9.aarch64
[root@f070fcfb98d1 /]# rpm -ql bash-5.1.8-9.el9.aarch64
/etc/skel/.bash_logout
/etc/skel/.bash_profile
/etc/skel/.bashrc
...