Fortify finding : Insecure Transport in run_packet.go #4037
Comments
|
Can you link to the actual file and lines? |
|
Sure, here is link from the current master - https://github.com/linuxkit/linuxkit/blob/master/src/cmd/linuxkit/run_packet.go#L128 |
|
The commit that added it is here, with the comment:
The reason for it is that Packet (now Equinix Metal) does custom operating systems via iPXE, so you need something to act as the iPXE server. You can use something hosted, or, for testing, you can use this, run a local http server that is listening on localhost, and then use some remote-to-Internet service, like ngrok or inlets, to expose it to the Internet. Either way, it is intended for testing, e.g. |
|
Thanks a lot for clarifying . |
We have configured fortify scanning for our go modules and it pointed out a vulnerability in run_packet.go file.
Insecure Transport
go func() {
log.Debugf("Listening on http://%s\n", *serveFlag)
if err := httpServer.ListenAndServe(); err != nil {
log.Infof("http server exited with: %v", err)
}
Basically, the code is expected to use TLS in the http server. But my question is
Is this code only used while building the image ? If yes, the purpose of the server so created ends when the image is built and the image itself will not carry this server config. Fundamentally , I need to justify this fortify finding to be a false positive and bears no security risk to the posture of the OS as well as to the workloads running on these instances.
Kindly help me out.
Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
Additional information you deem important (e.g. issue happens only occasionally):
The text was updated successfully, but these errors were encountered: