{"id":20148229,"url":"https://github.com/chainguard-dev/maxcve","last_synced_at":"2025-07-25T17:39:52.177Z","repository":{"id":206830394,"uuid":"717794163","full_name":"chainguard-dev/maxcve","owner":"chainguard-dev","description":null,"archived":false,"fork":false,"pushed_at":"2025-03-20T19:01:04.000Z","size":131,"stargazers_count":18,"open_issues_count":2,"forks_count":8,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-03-20T20:36:22.262Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/chainguard-dev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-12T16:10:16.000Z","updated_at":"2025-03-20T19:01:08.000Z","dependencies_parsed_at":null,"dependency_job_id":"b48e50b6-03b3-460d-9945-dc087d6950d4","html_url":"https://github.com/chainguard-dev/maxcve","commit_stats":null,"previous_names":["imjasonh/maxcve","chainguard-dev/maxcve"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmaxcve","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmaxcve/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmaxcve/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chainguard-dev%2Fmaxcve/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/chainguard-dev","download_url":"https://codeload.github.com/chainguard-dev/maxcve/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248103907,"owners_count":21048244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-13T22:35:51.759Z","updated_at":"2025-04-09T19:51:18.635Z","avatar_url":"https://github.com/chainguard-dev.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# _MAXIMUM CVEs_\n\n[![Release](https://github.com/chainguard-dev/maxcve/actions/workflows/release.yaml/badge.svg)](https://github.com/chainguard-dev/maxcve/actions/workflows/release.yaml)\n\nThis repo generates a container image that maximizes the number of CVEs in the image, while minimizing the size of the image.\n\n```\n$ grype ghcr.io/chainguard-dev/maxcve/maxcve 1\u003e /dev/null\n   ├── ✔ Packages                        [48,215 packages]\n   └── ✔ Executables                     [0 executables]\n ✔ Scanned for vulnerabilities     [290565 vulnerability matches]\n   ├── by severity: 5968 critical, 50545 high, 38097 medium, 1390 low, 0 negligible (194565 unknown)\n   └── by status:   282221 fixed, 8344 not-fixed, 0 ignored\n```\n\n(As of March 28, 2024)\n\nOr, if you prefer to consume data visually:\n\n![](severity.png)\n\n_Zero negligible vulns, nice!_\n\n![](installed.png)\n\n_Real minimal base image for scale_\n\n### Development\n\n```\ngo run . ttl.sh/maxcve\n```\n\n### How it works\n\nTo minimize size, the image doesn't actually contain any packages. In fact, it only contains two files:\n\n1. `/etc/os-release`, which tells scanners the image is a [Wolfi](https://wolfi.dev) image.\n1. `/lib/apk/db/installed`, which tells scanners what packages the image contains -- i.e., that it contains every version of every package that Wolfi has ever produced.\n\nWolfi aims to reduce the number of vulnerable packages by producing new fixed packages as soon as possible. But, along the way, it also produces lots and _lots_ of packages, and those packages over time _do_ have vulnerabilities discovered in them. This image claims to contain all of them.\n\nAmusingly, it takes about 500ms to build and push the image, and almost two minutes to scan it.\n\n### Why?\n\nAside from being fun, this image demonstrates how scanners work -- and importantly, how they _don't_ work.\n\nAt their most basic, scanners require images (1) tell them what OS they are, and (2) tell them what packages they contain. This image does both, but it does so in a way that is misleading.\n\nFor a similar (but opposite) demonstration of this, see [Malicious Compliance: Reflections on Trusting Container Scanners](https://www.youtube.com/watch?v=9weGi0csBZM). In that talk, they mislead the scanner into finding fewer CVEs in the presence of vulnerable packages. In this demonstration, we mislead the scanner into finding vulnerabilities without installing any packages.\n\n### Proof\n\nThe following script demonstrates that all the CVEs in the image are entirely due to the existence of the `/lib/apk/db/installed` file, which lists all the packages that are \"installed\".\n\nRunning a Grype scan after removing that file from the image results in a Grype scan with zero CVEs:\n\n```\ngrype ghcr.io/chainguard-dev/maxcve/maxcve 1\u003e /dev/null\nTEMP_DIR=$(mktemp -d) \u0026\u0026 \\\n\tcrane export ghcr.io/chainguard-dev/maxcve/maxcve:latest - | tar -xvf - -C \"$TEMP_DIR\" \u0026\u0026 \\\n\trm -f \"$TEMP_DIR/lib/apk/db/installed\" \u0026\u0026 \\\n\ttar -C \"$TEMP_DIR\" -cf - . | docker import - maxcve:noapkdb \u0026\u0026 \\\n\trm -rf \"$TEMP_DIR\"\ngrype maxcve:noapkdb 1\u003e /dev/null\n```\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fmaxcve","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchainguard-dev%2Fmaxcve","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchainguard-dev%2Fmaxcve/lists"}