You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: scripts/trivy/trivyignore.yaml
-73
Original file line number
Diff line number
Diff line change
@@ -10,76 +10,3 @@ vulnerabilities:
10
10
In Gitpod’s usage, TypeORM is not exposed to arbitrary user input. For example, DB migrations run preset queries;
11
11
the server/bridge code does not hand raw JSON from external sources to findOne. Therefore, there is no path for
12
12
injecting malicious JSON into a query, rendering the vulnerability non-exploitable.
13
-
14
-
# image-builder-bob
15
-
- id: CVE-2024-32002
16
-
statement: |
17
-
A vulnerability allowing remote code execution when cloning a malicious repository (often leveraging submodules
18
-
and symlinks on case-insensitive filesystems) that can place malicious scripts in .git/hooks/. On Windows/macOS
19
-
(case-insensitive FS), a malicious repo can use symlinks or tricky paths to cause Git to write hook scripts in
20
-
the main .git directory during clone, which Git then executes automatically. This results in code execution on
21
-
the system performing the clone.
22
-
23
-
The standard exploit path involving .Git vs. .git doesn’t work on Linux. Also, Gitpod’s builder typically
24
-
fetches known repositories or user-provided repos in a controlled environment. Even if a user cloned a hostile
25
-
repo in their own workspace, they’d compromise only themselves (in a sandboxed container). No broader exploit
26
-
of the underlying host is possible.
27
-
28
-
- id: CVE-2024-23652
29
-
paths:
30
-
- "usr/bin/buildctl"
31
-
- "usr/bin/buildkitd"
32
-
statement: |
33
-
A vulnerability where the RUN --mount cleanup logic could remove directories outside of the build context,
34
-
leading to potential arbitrary file deletion on the host if BuildKit is used with untrusted Dockerfiles.
35
-
36
-
Gitpod runs BuildKit inside containers in a Kubernetes environment. Even if a malicious Dockerfile tries to
37
-
exploit this, it can only affect the container’s filesystem (which the user already controls). There’s no path to
38
-
escalate beyond the container to the node’s host filesystem, so this has no material security impact in Gitpod’s
39
-
isolated build setup.
40
-
41
-
- id: CVE-2024-23653
42
-
paths:
43
-
- "usr/bin/buildctl"
44
-
- "usr/bin/buildkitd"
45
-
statement: |
46
-
A flaw allowing a build container to run with elevated privileges without the required security.insecure
47
-
entitlement. This can grant a malicious Dockerfile or BuildKit client more privileges than intended during the
48
-
build.
49
-
50
-
In Gitpod, BuildKit operates under tight Kubernetes constraints. Even if a user tries to request privileged mode,
51
-
it won’t escalate to the actual host or break out of the container. The user is effectively “attacking” their
52
-
own build container. They already have control there, so there’s no additional privilege escalation beyond their
53
-
existing user container in Gitpod’s architecture.
54
-
55
-
56
-
- id: CVE-2024-45337
57
-
paths:
58
-
- "usr/bin/buildctl"
59
-
- "usr/bin/buildkitd"
60
-
- "usr/bin/kube-rbac-proxy"
61
-
statement: |
62
-
An SSH authentication bypass issue if PublicKeyCallback is used incorrectly in Go’s SSH server library. Misuse
63
-
can lead to validating the wrong public key and granting access under the wrong identity.
64
-
65
-
Neither BuildKit nor kube-rbac-proxy runs an SSH server that uses PublicKeyCallback for authentication.
66
-
Kube-rbac-proxy does HTTP-based RBAC checks. BuildKit may include x/crypto/ssh but does not expose an SSH server
67
-
requiring PublicKeyCallback. Hence, there’s no exploit path for this bug in these components.
68
-
69
-
- id: CVE-2024-24790
70
-
statement: |
71
-
A logic flaw in Go’s net/netip packages causing misclassification of certain IPv4-mapped IPv6 addresses (e.g., failing to mark them as loopback/private). Could lead to security checks that rely on IP classification (like IsPrivate, IsLoopback) being bypassed.
72
-
73
-
In these images (Cloud SQL Proxy, bob-runc, BuildKit, kube-rbac-proxy), there’s no code path that enforces security decisions using IsLoopback/IsPrivate from Go’s netip. They either accept connections in a controlled environment (Cloud SQL Proxy -> GCP) or use different authentication mechanisms (kube-rbac-proxy). Hence, no external attack can exploit this misclassification.
74
-
75
-
- id: CVE-2024-45491
76
-
statement: |
77
-
Integer overflow in dtdCopy when dealing with a large number of default attributes in a DTD, causing potential out-of-bounds write or memory corruption in Expat on 32-bit systems.
78
-
79
-
The container runs on a 64-bit Alpine Linux environment, not a 32-bit build, so the overflow is not triggered the same way. Moreover, there is no component automatically parsing untrusted XML with Expat. Hence, no practical exploitation path in Gitpod’s usage.
80
-
81
-
- id: CVE-2024-45492
82
-
statement: |
83
-
Similar integer overflow in the nextScaffoldPart function of Expat, triggered by enormous or deeply nested content models in the DTD. Can lead to denial of service or potential corruption.
84
-
85
-
As with CVE-2024-45491, the environment is 64-bit Alpine, and no untrusted XML parsing occurs by default. Thus, the bug cannot be reached in a way that leads to exploitation.
0 commit comments