trivy scan of aspnet:3.1-alpine image reports medium vulnerability regarding containerd

  alpine, asp.net-core, docker, security, trivy

We are generating a container image based on mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine

The docker file includes a trivy security scan. Here is a docker file excerpt:

# Build runtime image (Alpine)
FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine

# Upgrade the Alpine Image
RUN apk update
RUN apk upgrade
RUN apk search -a|grep containerd|sort
RUN apk add --upgrade containerd
RUN apk add icu-libs
# https://www.abhith.net/blog/docker-sql-error-on-aspnet-core-alpine/
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false

# Check Security with trivy
RUN apk add curl 
    && curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b /usr/local/bin 
    && trivy filesystem --exit-code 1 --skip-dirs /user/local/bin/trivy --severity MEDIUM,HIGH,CRITICAL --no-progress / 
      && rm -rf /root/.cache/ 
      && rm -rf /usr/local/bin/trivy 
    && apk del curl

The dockerfile includes an ‘apk upgrade’ to get the latest package versions inside alpine. We output the version of the containerd package and it outputs ‘containerd-1.4.8-r0’ which is supposedly vulnerability free. However, trivy still outputs the following:

usr/local/bin/trivy (gobinary)
==============================
Total: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| github.com/containerd/containerd | CVE-2021-32760   | MEDIUM   | v1.4.4            | v1.4.8, v1.5.4 | containerd: pulling and               |
|                                  |                  |          |                   |                | extracting crafted container          |
|                                  |                  |          |                   |                | image may result in Unix file...      |
|                                  |                  |          |                   |                | -->avd.aquasec.com/nvd/cve-2021-32760 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+

This indicates that trivy has detected version 1.4.4. I am unsure what to try next. Thanks!

Source: Docker Questions

LEAVE A COMMENT