Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automate Docker images vulnerability scanning #1531

Closed
nodiscc opened this issue Aug 31, 2020 · 10 comments · Fixed by #2047
Closed

Automate Docker images vulnerability scanning #1531

nodiscc opened this issue Aug 31, 2020 · 10 comments · Fixed by #2047
Labels
docker containers & cloud enhancement security tools developer tools
Milestone
0.14.0

Comments

@nodiscc
Copy link
Member

nodiscc commented Aug 31, 2020

@nodiscc nodiscc added enhancement security tools developer tools docker containers & cloud labels Aug 31, 2020
@nodiscc nodiscc added this to the 1.0.0 milestone Sep 12, 2020
@nodiscc
Copy link
Member Author

nodiscc commented Sep 20, 2020

I have setup container scanning for Shaarli Docker images (only the amd64 image for now) on our gitlab mirror: https://gitlab.com/shaarli/Shaarli/-/merge_requests/1146/diffs

Scans report no vulnerabilities: https://gitlab.com/shaarli/Shaarli/-/pipelines?page=1&scope=all&ref=docker-image-scan

I don't remember where we discussed this in the first place, wasn't there reports that the image had some vulnerabilities? Now we need to investigate whether:

  • this is a false negative caused by wrong pipeline configuration
  • this is a false negative caused by the tool itself [Gitlab CI uses clair scanner), its vulnerability sources (probably https://secdb.alpinelinux.org/ ?) or incomplete scanning (define what components we need to check)
  • the results are correct and Shaarli images have no known vulnerability :)

@immanuelfodor
Copy link

Hi, it was in this PR, you can still find the report there: #1505

@ArthurHoaro
Copy link
Member

Using trivy, the tool suggested by Immanuel, I still get a bunch of vulnerabilities from our yarn.lock.
This tool is very easy to use locally btw! :)

 ➜ trivy shaarli/shaarli:master                 
2020-09-22T15:49:39.350+0200    INFO    Need to update DB
2020-09-22T15:49:39.352+0200    INFO    Downloading DB...
18.56 MiB / 18.56 MiB [--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 14.55 MiB p/s 1s
2020-09-22T15:49:44.686+0200    INFO    Detecting Alpine vulnerabilities...
2020-09-22T15:49:44.690+0200    INFO    Detecting php vulnerabilities...
2020-09-22T15:49:44.691+0200    INFO    Detecting nodejs vulnerabilities...
2020-09-22T15:49:44.699+0200    WARN    This OS version is no longer supported by the distribution: alpine 3.8.5
2020-09-22T15:49:44.699+0200    WARN    The vulnerability detection may be insufficient because security updates are not provided

shaarli/shaarli:master (alpine 3.8.5)
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


var/www/shaarli/composer.lock
=============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


var/www/shaarli/yarn.lock
=========================
Total: 17 (UNKNOWN: 0, LOW: 4, MEDIUM: 9, HIGH: 4, CRITICAL: 0)

+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
|   LIBRARY    |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |     FIXED VERSION      |             TITLE              |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| acorn        | GHSA-6chw-6frg-f759 | MEDIUM   | 5.7.3             | 5.7.4, 7.1.1, 6.4.1    | Regular Expression Denial of   |
|              |                     |          |                   |                        | Service in Acorn               |
+--------------+---------------------+          +-------------------+------------------------+--------------------------------+
| elliptic     | CVE-2020-13822      |          | 6.4.1             | 6.5.3                  | nodejs-elliptic: improper      |
|              |                     |          |                   |                        | encoding checks allows a       |
|              |                     |          |                   |                        | certain degree of signature    |
|              |                     |          |                   |                        | malleability in...             |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| js-yaml      | GHSA-8j8c-7jfh-h6hx | HIGH     | 3.7.0             | 3.13.1                 | Code Injection in js-yaml      |
+              +---------------------+----------+                   +------------------------+--------------------------------+
|              | GHSA-2pr6-76vf-7546 | MEDIUM   |                   | 3.13.0                 | Denial of Service in js-yaml   |
+--------------+---------------------+          +-------------------+------------------------+--------------------------------+
| kind-of      | CVE-2019-20149      |          | 6.0.2             | 6.0.3                  | Validation Bypass in kind-of   |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| lodash       | NSWG-ECO-516        | HIGH     | 4.17.15           | >=4.17.19              | Allocation of Resources        |
|              |                     |          |                   |                        | Without Limits or Throttling   |
+              +---------------------+----------+                   +------------------------+--------------------------------+
|              | CVE-2020-8203       | MEDIUM   |                   | 4.17.19                | nodejs-lodash: prototype       |
|              |                     |          |                   |                        | pollution in zipObjectDeep     |
|              |                     |          |                   |                        | function                       |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| mem          | GHSA-4xcv-9jjx-gfj3 | LOW      | 1.1.0             | 4.0.0                  | Denial of Service in mem       |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| minimist     | CVE-2020-7598       | MEDIUM   | 1.2.0             | 1.2.3, 0.2.1           | nodejs-minimist: prototype     |
|              |                     |          |                   |                        | pollution allows adding        |
|              |                     |          |                   |                        | or modifying properties of     |
|              |                     |          |                   |                        | Object.prototype using a...    |
+              +                     +          +-------------------+                        +                                +
|              |                     |          | 0.0.8             |                        |                                |
|              |                     |          |                   |                        |                                |
|              |                     |          |                   |                        |                                |
|              |                     |          |                   |                        |                                |
+              +                     +          +-------------------+                        +                                +
|              |                     |          | 1.1.3             |                        |                                |
|              |                     |          |                   |                        |                                |
|              |                     |          |                   |                        |                                |
|              |                     |          |                   |                        |                                |
+              +---------------------+          +-------------------+------------------------+--------------------------------+
|              | GHSA-7fhm-mqm4-2wp7 |          | 0.0.8             | 0.2.1                  | Withdrawn: ESLint dependencies |
|              |                     |          |                   |                        | are vulnerable (ReDoS and      |
|              |                     |          |                   |                        | Prototype Pollution)           |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| node-sass    | GHSA-9v62-24cr-58cx | LOW      | 4.12.0            | 4.13.1                 | Denial of Service in node-sass |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| set-value    | CVE-2019-10747      | HIGH     | 0.4.3             | 3.0.1, 2.0.1           | nodejs-set-value: prototype    |
|              |                     |          |                   |                        | pollution in function          |
|              |                     |          |                   |                        | set-value                      |
+              +                     +          +-------------------+                        +                                +
|              |                     |          | 2.0.0             |                        |                                |
|              |                     |          |                   |                        |                                |
|              |                     |          |                   |                        |                                |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+
| yargs-parser | GHSA-p9pc-299p-vxgp | LOW      | 5.0.0             | 18.1.2, 15.0.1, 13.1.2 | Prototype Pollution in         |
|              |                     |          |                   |                        | yargs-parser                   |
+              +                     +          +-------------------+                        +                                +
|              |                     |          | 7.0.0             |                        |                                |
|              |                     |          |                   |                        |                                |
+--------------+---------------------+----------+-------------------+------------------------+--------------------------------+

ArthurHoaro added a commit to ArthurHoaro/Shaarli that referenced this issue Sep 22, 2020
@ArthurHoaro
Upgrade front end dependencies
603600f 
Mostly in order to get rid of deprecated deps, and upgrade vulnerable ones.

  - Upgrade webpack from 3.x to 4.x
  - Moved babel package to main repo
  - Replaced deprecated extract-text-webpack-plugin with extract-text-webpack-plugin
  - Replaced deprecated babel-minify-webpack-plugin with terser-webpack-plugin
  - Replaced deprecated node-sass with (dart) sass package
  - Replaced deprecated sass-lint with stylelint (the rules might be a bit different

Related to shaarli#1531: trivy doesn't raise any more issue
ArthurHoaro added a commit to ArthurHoaro/Shaarli that referenced this issue Sep 22, 2020
@ArthurHoaro
Upgrade front end dependencies
96746d7 
Mostly in order to get rid of deprecated deps, and upgrade vulnerable ones.

  - Upgrade webpack from 3.x to 4.x
  - Moved babel package to main repo
  - Replaced deprecated extract-text-webpack-plugin with extract-text-webpack-plugin
  - Replaced deprecated babel-minify-webpack-plugin with terser-webpack-plugin
  - Replaced deprecated node-sass with (dart) sass package
  - Replaced deprecated sass-lint with stylelint (the rules might be a bit different

Related to shaarli#1531: trivy doesn't raise any more issue
@ArthurHoaro ArthurHoaro mentioned this issue Sep 22, 2020
Merged
@immanuelfodor
Copy link

I retested the image after I've rebuilt my Docker image with plugins added over shaarli/shaarli:master and no vulnerabilities found this time. It seems #1561 fixed them all.

@nodiscc
Copy link
Member Author

nodiscc commented Oct 4, 2020

Trivy runs much more extensive tests than Clair. I'll have a look at adding it to the Travis CI pipeline.

@nodiscc
Copy link
Member Author

nodiscc commented Nov 22, 2020

https://hub.docker.com/repository/docker/shaarli/shaarli ->

image

In the mean time, should we enable it?

@ArthurHoaro
Copy link
Member

It's not available in the free tier.

@nodiscc nodiscc self-assigned this May 25, 2021
nodiscc added a commit to nodiscc/Shaarli that referenced this issue May 2, 2023
@nodiscc
run trivy vulnerability scanner on the 'latest' docker image
d48e06f 
- run trivy from makefile so that it can be run both locally and through github actions
- usage: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=regist.ry/user/image:tag
- tested by downgrading the base image to alpine 3.15.7 and verifying that vulnerabilities are reported (https://github.com/nodiscc/Shaarli/actions/runs/4860040980/jobs/8663400103)
- TEMP/TESTING only push image to ghcr.io, run trivy on trivy branch/docker tag as well as master
- ref. shaarli#1531
@nodiscc nodiscc mentioned this issue May 2, 2023
Merged
@nodiscc
Copy link
Member Author

nodiscc commented May 2, 2023
edited
Loading

PR #1980 mostly fixes this by running trivy vulnerability scanner on the Docker image built from master. Possible improvements:

  • cache downloaded trivy tarball (35MB) to speed up build times?
  • run trivy periodically on the latest release image?
  • exit with error when vulnerabilities are found (currently the build log needs to be checked manually)

nodiscc added a commit to nodiscc/Shaarli that referenced this issue Jun 30, 2023
@nodiscc
tools/CI: scan repository with trivy security scanner (yarn.lock, com…
3b5923b 
…poser.lock)

- run scan on each push/pull request update
- can be run locally using make test_trivy_repo
- exit with error code 0/success when vulnerabilities are found,  as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel
- update trivy to v0.43.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.43.0
- also consider TRIVY_EXIT_CODE when running trivy on the latest docker image
- ref. shaarli#1531
@nodiscc nodiscc mentioned this issue Jun 30, 2023
Merged
@nodiscc nodiscc mentioned this issue Sep 20, 2023
Closed
nodiscc added a commit to nodiscc/Shaarli that referenced this issue Nov 26, 2023
@nodiscc
github actions: run daily trivy security scans on release docker imag…
fbb8e43 
…e, composer/yarn dependencies

- add badge to README
- any time a new vulnerability is found by this workflow, means it is probably time to update Shaarli's base docker image and perform a new release, and/or update npm dependencies (npm audit fix) or composer dependencies (composer update)
- similar jobs already exist in the pipeline for master/latest docker image but will not raise an error
- fixes shaarli#1531
@nodiscc nodiscc mentioned this issue Nov 26, 2023
Merged
nodiscc added a commit to nodiscc/Shaarli that referenced this issue Nov 26, 2023
@nodiscc
github actions: run daily trivy security scans on release docker imag…
eda9e2e 
…e, composer/yarn dependencies

- add badge to README
- any time a new vulnerability is found by this workflow, means it is probably time to update Shaarli's base docker image and perform a new release, and/or update npm dependencies (npm audit fix) or composer dependencies (composer update)
- similar jobs already exist in the pipeline for master/latest docker image but will not raise an error
- fixes shaarli#1531
@nodiscc nodiscc modified the milestones: 1.0.0, 0.14.0 Nov 26, 2023
@nodiscc nodiscc removed their assignment Nov 26, 2023
@nodiscc
Copy link
Member Author

nodiscc commented Nov 26, 2023

run trivy periodically on the latest release image?

#2047

@nodiscc nodiscc mentioned this issue Dec 3, 2023
Closed
@nodiscc
Copy link
Member Author

nodiscc commented Dec 3, 2023

A daily security scan is now in place, the status will be displayed in the README through this badge

As expected it is currently failing, #2050 should improve this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docker containers & cloud enhancement security tools developer tools
Projects
None yet
Milestone
0.14.0
3 participants
@ArthurHoaro @nodiscc @immanuelfodor