The haunting of CVE-2022-3474: A ghostly tale of package detection failure

John Speed Meyers, Principal Research Scientist
October 10, 2023

Disclaimer: The CVEs in these stories are real, but the names of people involved are fictional for privacy and storytelling purposes.

In this story, we hear about a false negative: a vulnerability that is present in a container image, but that the scanner fails to report. In particular, this one is caused by the way scanners work: they need to guess which packages are present. Unfortunately, this may lead to missing packages—including the primary package for the image!

Below, we’ll see that when the scanner doesn’t find the Bazel package in a bazel image, vulnerabilities go undetected. Fortunately, Chainguard Images come with rich package metadata—and SBOMs—so scanners don’t have to guess.

The Story

Once upon a chilling night,there lurked a spooky vulnerability named CVE-2022-3474. This CVE had a knack for hiding in the darkest corners of the container world, waiting patiently for its moment to strike.

Scanners were the brave souls tasked with hunting down these hidden vulnerabilities. They worked tirelessly, listing every package in an application or container image and analyzing them for known vulnerabilities. But even the bravest can get spooked, and in the shadows, a witch’s special recipe was brewing.

A vulnerability sorcerer named Sam ventured out to find vulnerabilities. Armed with Trivy, a trusted scanning tool, Sam aimed to unveil the secrets of an ominous container known as Bazel 5.3.1. Little did they know that this journey would lead to a chilling discovery.

Sam set the stage by listing all the packages within the Bazel 5.3.1 image. As they peered into the abyss of software components, they discovered an unsettling find. A package, a critical one, was missing – Bazel itself! It was as if the application had vanished into thin air, leaving no trace for the scanner to detect.

"Not found," Sam muttered in disbelief as they realized that the scanner did not detect CVE-2022-3474 lurking within Bazel 5.3.1. It was a false negative, a deceptive trick played by the ghostly vulnerability that had ensnared the scanner.

In this realm of vulnerability management, where unseen threats lay in wait, the missing package was the key to uncovering an eerie chain of events. 

But there was a glimmer of hope amidst the shadows. A solution emerged from the abyss – Chainguard Images. These were container images that came with a special enchantment, a package metadata that scanners could read with ease. Chainguard Images promised to banish the ghostly false negatives that haunted even the most skilled vulnerability management sorcerers.

With renewed determination, Sam turned to Chainguard Images, and the results were astonishing. They invoked Trivy once more, this time with the Chainguard-enhanced Bazel image. As the results flowed in, the name "bazel-6" emerged from the darkness, revealing the presence of the elusive package.

The vulnerability, CVE-2022-3474, had no place to hide in the presence of Chainguard Images. It was exorcized from the container, never to haunt again.

And so, dear reader, remember this tale of package detection failure as you tread the ominous corridors of container security. Beware of the false negatives that may linger in the shadows, but also take solace in the knowledge that there are tools like Chainguard Images to protect you from the spectral threats that haunt the world of CVEs. This Halloween, let us all strive to keep our containers free from ghostly vulnerabilities.

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.