Overview


As part of the ongoing improvement of our security offering, Aqua has added capability to the Scanner and CyberCenter that enables Aqua to detect vulnerabilities in files developed using the Go programming language. Many of our customers and prospects have waited a long time for this enhancement. This capability is available in the Aqua Platform SaaS Edition as well as Enterprise Self-Hosted Edition (Versions 6.2 and higher).


As of July 10, 2022, you can enable the new Golang vulnerability feed by changing your CyberCenter settings and pointing it to “cybercenter5go.aquasec.com” instead of “cybercenter5.aquasec.com”. This setting is available in the Aqua Console, under Settings > Aqua CyberCenter. After changing this setting, you will need to rescan your images. 


Customer impact

  • This change applies to both the Classic Scanner and the Trivy Premium Scanner.
  • This change is embedded in the scanner and controlled by the CyberCenter.
  • After rescanning your images, you can expect to see more and new vulnerabilities, since we are supporting a new programming language. Since your scanning results may change, your CI/CD pipelines might be impacted.
  • Aqua components: As most Aqua components include modules written in Go, our scanner will now find vulnerabilities in certain Aqua components. We have fixed most of the vulnerabilities of critical and high severity in all affected versions (SaaS, 2022.4, 6.5, and 6.2). The vast majority of the vulnerabilities were resolved in the latest releases of these versions. Therefore, Enterprise Self-Hosted customers (Versions 6.2 and higher) will need to upgrade to the latest update release to eliminate the vulnerabilities.

Mitigation steps


Note: Bracketed numbers, such as [1], refer to sources listed under References below.


CI/CD pipelines


Images built containing vulnerable GO packages [1] will be now marked as non-compliant against the relevant configured Image Assurance Policies that include Vulnerability Score, Vulnerability Severity, and/or CVEs Blocked controls.


If these Image Assurance Policies are configured to "Fail the Aqua step in CI/CD" then newly found vulnerabilities might fail one or more of these controls.


In this case there are three possibilities:

  1. The scan command will not register the image. Acknowledging the newly found GO vulnerabilities in the Images > CI/CD Scans screen will cause the next scan iteration to successfully pass the CI/CD scanning step.
  2. The scan command registers the image via the --register and --registry options. The newly found GO vulnerabilities must be acknowledged both in Images > CI/CD Scans and Images > General, unless the acknowledgment is performed against "All Images" [2]. The next scan iteration will successfully pass the CI/CD scanning step.
  3. The scan command registers the image with --register-compliant --registry. The newly found GO vulnerabilities must be acknowledged in Images > CI/CD Scans. The next scan iteration will successfully pass the CI/CD scanning step. However, if the acknowledgment is not performed against "All Images", the same vulnerabilities must also be acknowledged in Images > General, otherwise at next scan the registered and previously compliant image will be marked as non-compliant.


Acknowledging the GO vulnerabilities as they get discovered will allow a systematic approach in finding and patching the images as needed while not disrupting the developers' workflow significantly. However, if compliance is a strict requirement during build (for example), failing the CI/CD scanning step might be desirable until the image is patched according to relevant vendor advisories.


Another option would be to ignore specific vulnerabilities [3] based on the first scan iteration or include all the stated vulnerabilities as per [1]. This approach would basically give a "free pass" to all the GO vulnerabilities listed or discovered but within the scope of one or more specific Assurance Policies. By doing so it is considered that all the vulnerabilities do not constitute an immediate concern, and the relevant CVEs can be dealt with at some later time.


Images registered in Aqua


Aqua will find GO vulnerabilities after performing the next rescanning (whether performed manually or automatically).


If the scanning results in the image becoming non-compliant, acknowledgment of the relevant CVE(s) could be considered if the risk can be accepted (until it gets updated) and/or the image must be run as a container. If the image must be run it could also be allowed [4] temporarily.


Images running as containers 


Images already running as containers and affected by any of the GO vulnerabilities would become non-compliant if configured to be so in the relevant Image Assurance Policies. 


Non-compliant running containers will not be stopped or disrupted by Aqua Enforcers (even in Enforce mode). Additional containers run from the same image are allowed to be run as described in [6].


References


[1] https://pkg.go.dev/vuln/list

[2] https://docs.aquasec.com/docs/apply-and-manage-security-issue-acknowledgments#section-acknowledgment-applicability

[3] https://docs.aquasec.com/docs/image-assurance-policies-basic-info#section-exceptions

[4] https://docs.aquasec.com/docs/allow-and-block-images#section-allow

[5] https://docs.aquasec.com/docs/reactive-risk-management#section-apply-a-vulnerability-shield%E2%84%A2-v-shield-to-the-image

[6] https://docs.aquasec.com/docs/configure-scan-options#section-starting-containers-from-non-compliant-images