From 9a230db69767aac386465ef3c7abbb202de17356 Mon Sep 17 00:00:00 2001 From: PollyS6 Date: Fri, 3 Jul 2026 22:42:52 +0300 Subject: [PATCH] feat(lab7): trivy + PSS restricted + conftest gate --- submissions/lab7.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 submissions/lab7.md diff --git a/submissions/lab7.md b/submissions/lab7.md new file mode 100644 index 00000000..b33e39f7 --- /dev/null +++ b/submissions/lab7.md @@ -0,0 +1,36 @@ +# Lab 7 — Submission + +## Task 1: Trivy Image + Config Scan + +### Image scan severity breakdown +| Severity | Total | With fix available | +|----------|------:|------------------:| +| Critical | 4 | 4 | +| High | 6 | 6 | +| **Total** | 10 | 10 | + +### Top 10 CVEs with fixes +| CVE | Severity | Package | Installed | Fix | +|-----|----------|---------|-----------|-----| +| CVE-2023-46233 | CRITICAL | crypto-js | 3.3.0 | 4.2.0 | +| CVE-2015-9235 | CRITICAL | jsonwebtoken | 0.1.0 | 4.2.2 | +| CVE-2015-9235 | CRITICAL | jsonwebtoken | 0.4.0 | 4.2.2 | +| CVE-2019-10744 | CRITICAL | lodash | 2.4.2 | 4.17.12 | +| CVE-2026-45447 | HIGH | libssl3t64 | 3.5.5-1~deb13u2 | 3.5.6-1~deb13u2 | +| NSWG-ECO-428 | HIGH | base64url | 0.0.6 | >=3.0.0 | +| CVE-2020-15084 | HIGH | express-jwt | 0.1.3 | 6.0.0 | +| CVE-2022-25881 | HIGH | http-cache-semantics | 3.8.1 | 4.1.1 | +| CVE-2022-23539 | HIGH | jsonwebtoken | 0.1.0 | 9.0.0 | +| NSWG-ECO-17 | HIGH | jsonwebtoken | 0.1.0 | >=4.2.2 | + +### Compared to Lab 4's Grype scan +Look back at your Lab 4 Grype results on the same image. Pick **two CVEs**: +1. One that BOTH Grype and Trivy found : CVE-2019-10744, CRITICAL, lodash, installed 2.4.2 and fix 4.17.12 +2. One that ONE tool found and the OTHER missed +For each: explain why the tools differ (DB freshness? Different package matching? +EPSS scoring? Lecture 7 + Lecture 4 give context.) (2-3 sentences per CVE.): +**Grype found, Trivy missed** +GHSA-5mrr-rgp6-x4gr, Critical, marsdb, installed 0.6.11 with no fix. Trivy and Grype use different databaseses. This vulnerability is maybe only present in GitHub security advisory database. + +**Trivy found, Grype missed** +CVE-2026-45447, High, libssl3t64 v3.5.5-1~deb13u2, fix 3.5.6-1~deb13u2. In Grype results, this vulnerability was maybe not in the latest update of databases Grype uses. And Trivy may have had already updated databasese.