security in docker : use an applicative user instead of root to run vuls server

[tramora]

Hi,
Currently (in version 0.12.3 at least) the process runs under root :

    1 root      0:00 vuls server -listen 0.0.0.0:5515 -format-json -debug -debug-sql -cvedb-type=http -cvedb-url=http://vuls-go-cve-dictionary:1323 -ovaldb-type=http -ovaldb-url=http://vuls-goval-dictionary:1324

It seems better to create and use an applicative user instead.

[kotakanbe]

Pull Request welcome 👍

[Jiab77]

Hi @tramora, I was able to make it run while using Docker in Rootless mode. I'll add the required documentation soon.

[tramora]

thanx for your comments @kotakanbe & @Jiab77. Indeed, the users can use that kind of workarounds even in kubernetes.

# in the deployment yaml
securityContext:
              runAsNonRoot: true
              runAsUser: 27740
              runAsGroup: 27740
              allowPrivilegeEscalation: true

That's why this "issue" seems very low priority even if it should be simple to fix

In dockerfile

RUN apk add sudo && \
        adduser app_user -D --shell /sbin/nologin

and in the entrypoint call

/sbin/sudo --user=app_user vuls