[SOLVED] How to trace source of vulnerability shown by "docker scout cves"

Issue

I have a docker image, based on Ubuntu 23.04. Running docker scout cves shows, amongst other things, a couple of critical vulnerabilities in a file stdlib 1.19.4 from a package pkg:golang/[email protected]. (CVE-2023-24540 and CVE-2023-24538).

The trouble is, I have absolutely no idea where this package comes from. I'm not using the go language in any of my own code. I can't find the package in dpkg.log. If I run through all my apt commands manually, it doesn't appear in the output. Running through the tree of affected packages in Docker Desktop, I can't see it there either – although it would be easy to miss.

Short of doing a binary chop on my Dockerfile until the vulnerabilities go away, can anyone explain a systematic way to find out which command caused this package to be installed?

Addendum: As requested - here is a Dockerfile with all the installation commands but none of my own code:

# Start with a base Ubuntu image
FROM ubuntu:23.04

ARG xdebug

# Prevent any prompts during installation
ENV DEBIAN_FRONTEND noninteractive

# Set up apt with any additional repositories we need
RUN apt-get update
RUN apt-get install -y software-properties-common
RUN add-apt-repository ppa:maxmind/ppa
RUN apt-get update --fix-missing
RUN apt upgrade -y

# Install Apache and various other packages.
RUN apt-get install -y apache2
RUN apt-get install -y vim cron geoipupdate git logrotate mysql-client openssh-server redis rsync supervisor unzip zip
RUN apt-get install -y python3-pip python3-dev python3-setuptools python3-numpy python3-pandas python3-yaml python3-click python3-dotenv python3-mysql.connector python3.tqdm
RUN apt-get install -y gcc make dnsutils ncdu lsof

# Configure any Apache modules that weren't in the default
RUN cp /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled
RUN cp /etc/apache2/mods-available/expires.load /etc/apache2/mods-enabled
RUN cp /etc/apache2/mods-available/authz_groupfile.load /etc/apache2/mods-enabled
RUN cp /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/
RUN cp /etc/apache2/mods-available/ssl.load /etc/apache2/mods-enabled
RUN cp /etc/apache2/mods-available/socache_shmcb.load /etc/apache2/mods-enabled
RUN cp /etc/apache2/mods-available/ssl.conf /etc/apache2/mods-enabled

# Suppress Apache warning on being unable to determine the fully qualified domain name
RUN echo "ServerName localhost">>/etc/apache2/apache2.conf

# Install PHP and plumb into Apache
RUN apt-get update --fix-missing
RUN apt-get install -y php8.1 php8.1-curl php8.1-gd php8.1-gettext php8.1-gmp php8.1-iconv php8.1-imap php8.1-intl php8.1-mbstring php8.1-mysql php8.1-oauth php8.1-redis php8.1-xml php8.1-yaml php8.1-zip
RUN if [ "$xdebug" = "with" ] ; then apt-get install -y php8.1-xdebug ; fi
RUN apt-get install -y libapache2-mod-php8.1

# The bcmath extension seems to have problems when installed in line with the other PHP modules, as of 2022-07-18
RUN apt-get update --fix-missing
RUN apt-get install -y php8.1-bcmath

# Install locales
RUN apt-get install -y locales
RUN locale-gen en_GB
RUN locale-gen en_GB.UTF-8
RUN locale-gen de_DE
RUN locale-gen de_DE.UTF-8
RUN locale-gen es_ES
RUN locale-gen es_ES.UTF-8
RUN locale-gen fr_FR
RUN locale-gen fr_FR.UTF-8
RUN locale-gen it_IT
RUN locale-gen it_IT.UTF-8
RUN update-locale

Solution

From the desktop view it's a little more obvious than terminal imho.

Desktop view

If you look at the view for the image built from your Dockerfile, you can see these little icons on the right. A green one means it's all good and red and yellow in different color shades means a vulnerability was introduced in that layer.

Now, if you clicked one of them, it will show you which vulnerability was introduced there, on the right side aka the detail view:

Now in your case it's a little more difficult because you add multiple packages in one layer. However, in this case we're looking for go-based software so out of the list in this layer (vim cron geoipupdate git logrotate mysql-client openssh-server redis rsync supervisor unzip zip) that should only be geoipupdate. On a better maintained package you'd see a disclaimer or something else under the security tab on the github page which apparently isn't the case here. Nevertheless if you look into the go.mod you can see that it's using a version of go that is vulnerable. A given fix for this would be https://github.com/maxmind/geoipupdate/pull/251 (not that I still need to fix the tests for that but good enough for showcasing for now.)

Terminal

In the terminal you can use the --locations flag like so

$ docker scout cves --locations cve-test:latest
INFO New version 0.22.3 available (installed version is 0.20.0)
    ✓ SBOM of image already cached, 847 packages indexed
    ✗ Detected 7 vulnerable packages with a total of 32 vulnerabilities

   2C    10H     3M     0L  stdlib 1.19.4
pkg:golang/[email protected]

14: sha256:5d1e732cad3b228fd22501a92e270e61fd1e7a45faee63176660a3a77b63cab6
/usr/bin/geoipupdate

    ✗ CRITICAL CVE-2023-24540
      https://scout.docker.com/v/CVE-2023-24540
      Affected range : <1.19.9
      Fixed version  : 1.19.9

This way it will print you out where the issue is coming from, which in this case, would have pointed you to the same package again. The number and hash are actually the layer where it's introduced. Again, once you've looked at the desktop output before, it's making more sense. There you can see too that it's layer 14 where the issue is introduced.

Answered By - Rick Rackow

Answer Checked By - Mildred Charles (WPSolving Admin)