Trivy/Grype updates to detect log4j vulnerabilities
Problem to solve
Container scanning should detect the log4j CVE-2021-44228.
Grype VP of Security shared a vulnerable container image. https://twitter.com/joshbressers/status/1469411411948417035?s=21
include:
- template: Security/Container-Scanning.gitlab-ci.yml
container_scanning:
variables:
DOCKER_IMAGE: docker.io/dnurmi/testrepo:jarjar Trivy
$ trivy docker.io/dnurmi/testrepo:jarjar
$ trivy --version
Version: 0.21.2
Vulnerability DB:
Type: Full
Version: 1
UpdatedAt: 2021-12-12 12:44:43.771732013 +0000 UTC
NextUpdate: 2021-12-12 18:44:43.771731813 +0000 UTC
DownloadedAt: 2021-12-12 13:53:11.907624 +0000 UTC 
https://github.com/aquasecurity/trivy/issues/1453 mentions the light method being not consistent with the scan detecting the vulnerabilities. The light mode problem needs a trivy fix in https://github.com/aquasecurity/trivy/pull/1458
gcs doesn't use the light mode though.
Grype
A manual run with the vulnerable image works.
$ grype docker.io/dnurmi/testrepo:jarjar
$ grype version
Application: grype
Version: 0.27.0
Syft Version: v0.32.0
BuildDate: 2021-12-08T22:17:50Z
GitCommit: e62186725b8bfe3faddb78fa82b1ca44c747c9b6
GitTreeState: clean
Platform: darwin/amd64
GoVersion: go1.16.10
Compiler: gc
Supported DB Schema: 3
gitlab-org/security-products/analyzers/container-scanning!2622 (merged) updating grype should fix the problem.
Proposal
- Update Grype and verify it working
- Analyse why Trivy does not work in gcs
@mparuszewski @thiagocsf I've started analysing the scanners in gitlab-de/playground/log4j-container-scanning!1 but I don't know why they don't work inside gcs. Please help investigate :)