bump root image from debian:buster-slim to debian:bookworm-slim requierd

[obeyler]

./trivy image -s CRITICAL debian:buster-slim
2021-08-18T11:18:12.970+0200	INFO	Detected OS: debian
2021-08-18T11:18:12.971+0200	INFO	Detecting Debian vulnerabilities...
2021-08-18T11:18:12.978+0200	INFO	Number of language-specific files: 0

debian:buster-slim (debian 10.10)
=================================
Total: 4 (CRITICAL: 4)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libc-bin | CVE-2021-33574   | CRITICAL | 2.28-10           |               | glibc: mq_notify does                 |
|          |                  |          |                   |               | not handle separately                 |
|          |                  |          |                   |               | allocated thread attributes           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+          +------------------+          +                   +---------------+---------------------------------------+
|          | CVE-2021-35942   |          |                   |               | glibc: Arbitrary read in wordexp()    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------+------------------+          +                   +---------------+---------------------------------------+
| libc6    | CVE-2021-33574   |          |                   |               | glibc: mq_notify does                 |
|          |                  |          |                   |               | not handle separately                 |
|          |                  |          |                   |               | allocated thread attributes           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+          +------------------+          +                   +---------------+---------------------------------------+
|          | CVE-2021-35942   |          |                   |               | glibc: Arbitrary read in wordexp()    |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-35942 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
adminomc@hkbdc1svcadm01p:~$ ./trivy image -s CRITICAL debian:bookworm-slim
2021-08-18T11:19:26.064+0200	INFO	Detected OS: debian
2021-08-18T11:19:26.065+0200	INFO	Detecting Debian vulnerabilities...
2021-08-18T11:19:26.065+0200	INFO	Number of language-specific files: 0

debian:bookworm-slim (debian 11.0)
==================================
Total: 0 (CRITICAL: 0)

[isuftin]

Isn't Debian 11 codename "Bullseye" ?

[nesc58]

Yes. Debian 11 is Bullseye. I guess "Bookworm" is the codename for Debian 12.

[obeyler]

trivy image -s CRITICAL debian:bullseye-slim
2021-09-10T10:18:31.361+0200	INFO	Detecting Debian vulnerabilities...
2021-09-10T10:18:31.368+0200	INFO	Trivy skips scanning programming language libraries because no supported file was detected

debian:bullseye-slim (debian 11.0)
==================================
Total: 2 (CRITICAL: 2)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| libc-bin | CVE-2021-33574   | CRITICAL | 2.31-13           |               | glibc: mq_notify does                 |
|          |                  |          |                   |               | not handle separately                 |
|          |                  |          |                   |               | allocated thread attributes           |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-33574 |
+----------+                  +          +                   +---------------+                                       +
| libc6    |                  |          |                   |               |                                       |
|          |                  |          |                   |               |                                       |
|          |                  |          |                   |               |                                       |
|          |                  |          |                   |               |                                       |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

CVE is present on debian 11

[obeyler]

@nesc58 exact trivy scan give the bad version for the docker image of debian 12

[nesc58]

Trivy seems to be incorrect. Bookworm is still vulnerable: https://security-tracker.debian.org/tracker/CVE-2021-33574

[koelle25]

In the current version it clearly states, that Debian Bookworm is not (yet) supported:

❯ trivy image -s CRITICAL debian:bookworm-slim
2022-09-23T09:57:12.785+0200	INFO	Vulnerability scanning is enabled
2022-09-23T09:57:12.785+0200	INFO	Secret scanning is enabled
2022-09-23T09:57:12.785+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-23T09:57:12.785+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.32/docs/secret/scanning/#recommendation for faster secret detection
2022-09-23T09:57:17.187+0200	INFO	Detected OS: debian
2022-09-23T09:57:17.187+0200	WARN	This OS version is not on the EOL list: debian bookworm/sid
2022-09-23T09:57:17.187+0200	INFO	Detecting Debian vulnerabilities...
2022-09-23T09:57:17.187+0200	INFO	Number of language-specific files: 0
2022-09-23T09:57:17.188+0200	WARN	This OS version is no longer supported by the distribution: debian bookworm/sid
2022-09-23T09:57:17.188+0200	WARN	The vulnerability detection may be insufficient because security updates are not provided

debian:bookworm-slim (debian bookworm/sid)

Total: 0 (CRITICAL: 0)

[thomschke]

Debian Bullseye is now supported:

~ ❯ trivy image debian:bullseye-slim                                                                                                                                                                                      11s
2022-12-28T10:30:41.455+0100	INFO	Vulnerability scanning is enabled
2022-12-28T10:30:41.455+0100	INFO	Secret scanning is enabled
2022-12-28T10:30:41.455+0100	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-12-28T10:30:41.455+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.35/docs/secret/scanning/#recommendation for faster secret detection
2022-12-28T10:30:46.808+0100	INFO	Detected OS: debian
2022-12-28T10:30:46.809+0100	INFO	Detecting Debian vulnerabilities...
2022-12-28T10:30:46.821+0100	INFO	Number of language-specific files: 0

debian:bullseye-slim (debian 11.6)

Total: 78 (UNKNOWN: 0, LOW: 61, MEDIUM: 6, HIGH: 10, CRITICAL: 1)

and there OpenLDAP 2.5.13 will be provided.

[nesc58]

PR created: #37