Docker update fact_extractor and cwe_checker

[Anemosx]

Docker container now support more modules:

• Allows for cwe-checker in docker container CWE-checker support in docker #38

• FACT extractor can now be used in docker container Fact_extractor support in docker #56

[m-1-k-3]

Cool thing. I think the changes of the installer.sh should be removed from this pull request. They are already in separate pull request: #67

[m-1-k-3]

I am wondering if this is a security problem in our use case.

We are going to start all of our containers with --rm. So if something goes really bad we are going to destroy it afterwards.

[m-1-k-3]

Probably one of our Docker experts can help with this. @N0K0?

[N0K0]

I would not call myself an expert :D This would not destroy the socket file if that is what you are wondering. The main security risk here is that the container will get access to do more of less whatever the dockerd user can (more often than not this imples root access).
Given this use case (emba as a whole) i'd think this would be okay?

[m-1-k-3]

does it mean root access to the host or to other docker containers?

[N0K0]

Basically by having access to the socket you have access to the docker daemon. Which allows you to mount up the host file system and to whatever you feel like.

It also allows complete access to all other containers.

Here is an article that goes a bit into why it might be an bad idea :)
https://secureideas.com/blog/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html

The reason i feel that this might not be too bad is that running tools like EMBA is really not something you should do on your "regular" computer. Just like using Kali as your day to day OS is a bit wierd

[m-1-k-3]

Thanks for the link. Yes, currently we are running everything on our host as root. So, we are compromised by default if someone has a nice firmware for us. With docker in place everything would be a bit better :)

[m-1-k-3]

already merged