CVE-2018-1000654 is reporting as fail when fix has been installed

[ocofaigh]

Dockerfile:

FROM golang:1.12
ARG TOKEN
USER root
WORKDIR /opt/app
RUN apt list | grep libtasn
RUN wget http://mirrors.kernel.org/ubuntu/pool/main/libt/libtasn1-6/libtasn1-6_4.16.0-2_amd64.deb
RUN apt install -y ./libtasn1-6_4.16.0-2_amd64.deb
RUN apt list | grep libtasn
RUN wget -O /microscanner https://get.aquasec.com/microscanner
RUN chmod +x /microscanner
RUN /microscanner **** --html --continue-on-failure > /tmp/result.html
RUN rm -rf /microscanner
CMD [bash]

Output snippet shows the version before and after the package has been updated:

libtasn1-6/now 4.13-3 amd64 [installed,local]

Removing intermediate container 507ef817358c
 ---> 8af27a96c078
Step 6/13 : RUN wget http://mirrors.kernel.org/ubuntu/pool/main/libt/libtasn1-6/libtasn1-6_4.16.0-2_amd64.deb
 ---> Running in ab639ae9bbcb
[91m--2020-03-03 19:32:31--  http://mirrors.kernel.org/ubuntu/pool/main/libt/libtasn1-6/libtasn1-6_4.16.0-2_amd64.deb

Resolving mirrors.kernel.org (mirrors.kernel.org)... �[0m�[91m149.20.37.36, 2001:4f8:4:6f:0:1994:3:14
Connecting to mirrors.kernel.org (mirrors.kernel.org)|149.20.37.36|:80... �[0m�[91mconnected.
HTTP request sent, awaiting response... �[0m�[91m301 Moved Permanently
Location: http://mirrors.edge.kernel.org/ubuntu/pool/main/libt/libtasn1-6/libtasn1-6_4.16.0-2_amd64.deb [following]
�[0m�[91m--2020-03-03 19:32:36--  http://mirrors.edge.kernel.org/ubuntu/pool/main/libt/libtasn1-6/libtasn1-6_4.16.0-2_amd64.deb
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... �[0m�[91m147.75.197.195, 2604:1380:1:3600::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.197.195|:80... �[0m�[91mconnected.
HTTP request sent, awaiting response... �[0m�[91m200 OK
Length: 38088 (37K) [application/octet-stream]
�[0m�[91mSaving to: 'libtasn1-6_4.16.0-2_amd64.deb'

     0K .......... .�[0m�[91m......... .......... .....�[0m�[91m..              100%  832K=0.04s

�[0m�[91m2020-03-03 19:32:36 (832 KB/s) - 'libtasn1-6_4.16.0-2_amd64.deb' saved [38088/38088]

�[0mRemoving intermediate container ab639ae9bbcb
 ---> 2dcb5aa357b7
Step 7/13 : RUN apt install -y ./libtasn1-6_4.16.0-2_amd64.deb
 ---> Running in 783beaa9bf04
�[91m
WARNING: apt�[0m�[91m does not have a stable CLI interface. �[0m�[91mUse with caution in scripts.
�[0m�[91m
�[0mReading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
  libtasn1-6
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/38.1 kB of archives.
After this operation, 13.3 kB of additional disk space will be used.
Get:1 /opt/app/libtasn1-6_4.16.0-2_amd64.deb libtasn1-6 amd64 4.16.0-2 [38.1 kB]
�[91mdebconf: delaying package configuration, since apt-utils is not installed
�[0m(Reading database ... 
(Reading database ... 5%
(Reading database ... 10%
(Reading database ... 15%
(Reading database ... 20%
(Reading database ... 25%
(Reading database ... 30%
(Reading database ... 35%
(Reading database ... 40%
(Reading database ... 45%
(Reading database ... 50%
(Reading database ... 55%
(Reading database ... 60%
(Reading database ... 65%
(Reading database ... 70%
(Reading database ... 75%
(Reading database ... 80%
(Reading database ... 85%
(Reading database ... 90%
(Reading database ... 95%
(Reading database ... 100%
(Reading database ... 15401 files and directories currently installed.)
Preparing to unpack .../libtasn1-6_4.16.0-2_amd64.deb ...
Unpacking libtasn1-6:amd64 (4.16.0-2) over (4.13-3) ...
Setting up libtasn1-6:amd64 (4.16.0-2) ...
Processing triggers for libc-bin (2.28-10) ...

Removing intermediate container 783beaa9bf04
 ---> d7b355b0eb32
Step 8/13 : RUN apt list | grep libtasn
 ---> Running in a42999973a48

�[91m
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

[0mlibtasn1-6/now 4.16.0-2 amd64 [installed,local]

Removing intermediate container a42999973a48

As you can see version libtasn1-6 4.16.0-2 is now installed.

However, the scan report detects this:

[knqyf263]

@ocofaigh MicroScanner detect a vulnerability based on security advisories from Debian. In this case, Debian says this vulnerability is not fixed yet.
https://security-tracker.debian.org/tracker/CVE-2018-1000654

It means it can't be addressed even if you install the newest version via apt-get.

$ apt-get install libtasn1-6
...
libtasn1-6 is already the newest version (4.13-3).
...

If you install the patched binary yourself, MicroScanner can't know it.

[ocofaigh]

Thanks @knqyf263 for the comment. Can you confirm if Aqua is using CVSS version 2.0 or 3.x ?
I see this vulnerability is flagged as 5.5 MEDIUM in v3.x, but 7.1 HIGH in v2.0.
Is there any way to tell Aqua to use version 3.x?

CVE-2018-1000654 has been open since 2018 - if it really was a high risk, wouldn't there be a fix already?

[knqyf263]

I think they use CVSS v2 because v3 often shows a much higher score than v2. If MicroScanner adopts v3, the opposite situation will happen. v2 says LOW, while v3 says HIGH.
I feel it is intended. Also, you're right. It should have been already fixed if it is a high risk.

[ocofaigh]

CVE-2018-1000654 is not flagged with IBM Cloud Vulnerability Advisor (https://cloud.ibm.com/docs/services/Registry?topic=va-va_index), which is what I have been using to date to scan our images. I can't move to Aqua scanner if its suddenly telling me there is a high vulnerability from 2018 that is not yet fixed :/

[knqyf263]

MicroScanner doesn't have the feature to filter unfixed vulnerabilities. If you need it, you can filter them by jq or something like that. Or, you can use https://github.com/aquasecurity/trivy as OSS scanner.