Skip to content

[trivy] Drop superfluous trivyignore entries as follow up to #20694 #20733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 3, 2025
Merged

[trivy] Drop superfluous trivyignore entries as follow up to #20694 #20733

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 0 additions & 73 deletions scripts/trivy/trivyignore.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,76 +10,3 @@ vulnerabilities:
In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries;
the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for
injecting malicious JSON into a query, rendering the vulnerability non-exploitable.

# image-builder-bob
- id: CVE-2024-32002
statement: |
A vulnerability allowing remote code execution when cloning a malicious repository (often leveraging submodules
and symlinks on case-insensitive filesystems) that can place malicious scripts in .git/hooks/. On Windows/macOS
(case-insensitive FS), a malicious repo can use symlinks or tricky paths to cause Git to write hook scripts in
the main .git directory during clone, which Git then executes automatically. This results in code execution on
the system performing the clone.

The standard exploit path involving .Git vs. .git doesn’t work on Linux. Also, Gitpod’s builder typically
fetches known repositories or user-provided repos in a controlled environment. Even if a user cloned a hostile
repo in their own workspace, they’d compromise only themselves (in a sandboxed container). No broader exploit
of the underlying host is possible.

- id: CVE-2024-23652
paths:
- "usr/bin/buildctl"
- "usr/bin/buildkitd"
statement: |
A vulnerability where the RUN --mount cleanup logic could remove directories outside of the build context,
leading to potential arbitrary file deletion on the host if BuildKit is used with untrusted Dockerfiles.

Gitpod runs BuildKit inside containers in a Kubernetes environment. Even if a malicious Dockerfile tries to
exploit this, it can only affect the container’s filesystem (which the user already controls). There’s no path to
escalate beyond the container to the node’s host filesystem, so this has no material security impact in Gitpod’s
isolated build setup.

- id: CVE-2024-23653
paths:
- "usr/bin/buildctl"
- "usr/bin/buildkitd"
statement: |
A flaw allowing a build container to run with elevated privileges without the required security.insecure
entitlement. This can grant a malicious Dockerfile or BuildKit client more privileges than intended during the
build.

In Gitpod, BuildKit operates under tight Kubernetes constraints. Even if a user tries to request privileged mode,
it won’t escalate to the actual host or break out of the container. The user is effectively “attacking” their
own build container. They already have control there, so there’s no additional privilege escalation beyond their
existing user container in Gitpod’s architecture.


- id: CVE-2024-45337
paths:
- "usr/bin/buildctl"
- "usr/bin/buildkitd"
- "usr/bin/kube-rbac-proxy"
statement: |
An SSH authentication bypass issue if PublicKeyCallback is used incorrectly in Go’s SSH server library. Misuse
can lead to validating the wrong public key and granting access under the wrong identity.

Neither BuildKit nor kube-rbac-proxy runs an SSH server that uses PublicKeyCallback for authentication.
Kube-rbac-proxy does HTTP-based RBAC checks. BuildKit may include x/crypto/ssh but does not expose an SSH server
requiring PublicKeyCallback. Hence, there’s no exploit path for this bug in these components.

- id: CVE-2024-24790
statement: |
A logic flaw in Go’s net/netip packages causing misclassification of certain IPv4-mapped IPv6 addresses (e.g., failing to mark them as loopback/private). Could lead to security checks that rely on IP classification (like IsPrivate, IsLoopback) being bypassed.

In these images (Cloud SQL Proxy, bob-runc, BuildKit, kube-rbac-proxy), there’s no code path that enforces security decisions using IsLoopback/IsPrivate from Go’s netip. They either accept connections in a controlled environment (Cloud SQL Proxy -> GCP) or use different authentication mechanisms (kube-rbac-proxy). Hence, no external attack can exploit this misclassification.

- id: CVE-2024-45491
statement: |
Integer overflow in dtdCopy when dealing with a large number of default attributes in a DTD, causing potential out-of-bounds write or memory corruption in Expat on 32-bit systems.

The container runs on a 64-bit Alpine Linux environment, not a 32-bit build, so the overflow is not triggered the same way. Moreover, there is no component automatically parsing untrusted XML with Expat. Hence, no practical exploitation path in Gitpod’s usage.

- id: CVE-2024-45492
statement: |
Similar integer overflow in the nextScaffoldPart function of Expat, triggered by enormous or deeply nested content models in the DTD. Can lead to denial of service or potential corruption.

As with CVE-2024-45491, the environment is 64-bit Alpine, and no untrusted XML parsing occurs by default. Thus, the bug cannot be reached in a way that leads to exploitation.
Loading