docker run -it alpine:latest sh
/ # ls -lh /var/lib/apk/
total 0
我使用 grype 在 alpine docker 镜像上运行扫描
grype alpine:latest
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.1.4-r2 3.1.4-r5 apk CVE-2024-0727 Medium
libcrypto3 3.1.4-r2 3.1.4-r3 apk CVE-2023-6129 Medium
libcrypto3 3.1.4-r2 3.1.4-r4 apk CVE-2023-6237 Unknown
libssl3 3.1.4-r2 3.1.4-r5 apk CVE-2024-0727 Medium
libssl3 3.1.4-r2 3.1.4-r3 apk CVE-2023-6129 Medium
libssl3 3.1.4-r2 3.1.4-r4 apk CVE-2023-6237 Unknown
我想你找错地方了。
我很感激已经过去了一段时间,但其他人可能会偶然发现这个问题。以下是一些可能有帮助的额外命令:
grype alpine:latest
✔ Loaded image alpine:latest
✔ Parsed image sha256:c157a85ed455142fd79bff5dce951fd5f5b0d0c6e45e6f54cfd0c4e2bdec587b
✔ Cataloged contents a71c24b49627f42feb6e7f4e9103d3bb1728d5a827df0d3a98fe452ad78e9c8e
├── ✔ Packages [14 packages]
├── ✔ File digests [77 files]
├── ✔ File metadata [77 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [2 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible (2 unknown)
└── by status: 2 fixed, 0 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
libcrypto3 3.3.2-r0 3.3.2-r1 apk CVE-2024-9143 Unknown
libssl3 3.3.2-r0 3.3.2-r1 apk CVE-2024-9143 Unknown
grype alpine:latest -o json | grype explain --id CVE-2024-9143 | tail -n 20
✔ Loaded image alpine:latest
✔ Parsed image sha256:c157a85ed455142fd79bff5dce951fd5f5b0d0c6e45e6f54cfd0c4e2bdec587b
✔ Cataloged contents a71c24b49627f42feb6e7f4e9103d3bb1728d5a827df0d3a98fe452ad78e9c8e
├── ✔ Packages [14 packages]
├── ✔ File digests [77 files]
├── ✔ File metadata [77 locations]
└── ✔ Executables [17 executables]
✔ Scanned for vulnerabilities [2 vulnerability matches]
├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible (2 unknown)
└── by status: 2 fixed, 0 not-fixed, 0 ignored
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
Related vulnerabilities:
- alpine:distro:alpine:3.20 CVE-2024-9143 (Unknown)
Matched packages:
- Package: libcrypto3, version: 3.3.2-r0
PURL: pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&upstream=openssl
Match explanation(s):
- alpine:distro:alpine:3.20:CVE-2024-9143 Indirect match; this CVE is reported against openssl (version 3.3.2-r0), the upstream of this apk package.
Locations:
- /lib/apk/db/installed
- Package: libssl3, version: 3.3.2-r0
PURL: pkg:apk/alpine/[email protected]?arch=aarch64&distro=alpine-3.20.3&upstream=openssl
Match explanation(s):
- alpine:distro:alpine:3.20:CVE-2024-9143 Indirect match; this CVE is reported against openssl (version 3.3.2-r0), the upstream of this apk package.
Locations:
- /lib/apk/db/installed
URLs:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9143
- https://www.cve.org/CVERecord?id=CVE-2024-9143
记下位置
/lib/apk/db/installedlibssl3libcrypto3docker run -it alpine:latest sh
/ # grep -B 2 -A 12 libcrypto3 /lib/apk/db/installed
C:Q1ESXuflUHlvYSBrvAtsmANPb+Ii0=
P:libcrypto3
V:3.3.2-r0
A:aarch64
S:2228745
I:5095424
T:Crypto library from openssl
U:https://www.openssl.org/
L:Apache-2.0
o:openssl
m:Natanael Copa <[email protected]>
t:1725386997
c:f81b26d0708cf0a8149e2caf8e5bc3e7fda1225b
D:so:libc.musl-aarch64.so.1
--
t:1725386997
c:f81b26d0708cf0a8149e2caf8e5bc3e7fda1225b
D:libcrypto3=3.3.2-r0 so:libc.musl-aarch64.so.1 so:libcrypto.so.3
p:so:libssl.so.3=3
r:openssl
F:lib
R:libssl.so.3
a:0:0:755
Z:Q1MgGHk1dMOiz5yiPfk8zQs8KHjX8=
F:usr
F:usr/lib
R:libssl.so.3
a:0:0:777
Z:Q1oMqe3ENWHl40WtquaRE6llAmBfU=
从上面的元数据我们可以看到容器中文件系统上的文件的路径是
usr/lib/libssl.so.3/usr/libssl.so.3让我们检查一下:
/ # ls -l /usr/lib/libssl.so.3
lrwxrwxrwx 1 root root 21 Sep 6 11:37 /usr/lib/libssl.so.3 -> ../../lib/libssl.so.3
所以第一个是符号链接。
/ # ls -l /lib/libssl.so.3
-rwxr-xr-x 1 root root 933544 Sep 3 18:09 /lib/libssl.so.3
这就是受影响的文件,如上面的
grype explain