Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Docker Scout is flagging a false positive of CVE-2023-31047 on image #178

Closed
groovecoder opened this issue Mar 3, 2025 · 5 comments
Closed

Docker Scout is flagging a false positive of CVE-2023-31047 on image #178

groovecoder opened this issue Mar 3, 2025 · 5 comments
Assignees
@cdupuis
Labels
question Further information is requested

Comments

@groovecoder
Copy link

  1. Check out https://github.com/mozilla/fx-private-relay/tree/694fdcfb539b55f9fbe179fced570567c8a5f880 to get this Dockerfile and this requirements.txt file.
    • Note: the requirements.txt shows Django==4.2.19
  2. docker build -t relay .
  3. docker scout cves --only-severity critical local://relay:latest

Expected results:
No critical vulnerability

Actual results:
False positive on CVE-2023-31047 which affects Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1.

Running:

docker run --rm --entrypoint python relay -c "import django; print(django.get_version())"

returns:

4.2.19

which is not affected by CVE-2023-31047
@cdupuis cdupuis self-assigned this Mar 4, 2025
@cdupuis
Copy link
Collaborator

cdupuis commented Mar 4, 2025

@groovecoder, is this still happening for you?

I just tried following the steps you provided and ended up with a very clean image:

fx-private-relay on  HEAD (694fdcf) via  v18.20.7 via 🐍 v3.13.2 at 15:40:43
❯ docker build -t relay .
[+] Building 79.6s (18/18) FINISHED                                                                                                                             docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                                                                                            0.0s
 => => transferring dockerfile: 1.43kB                                                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/python:3.11                                                                                                                  0.4s
 => [internal] load .dockerignore                                                                                                                                               0.0s
 => => transferring context: 744B                                                                                                                                               0.0s
 => [ 1/13] FROM docker.io/library/python:3.11@sha256:68a8863d0625f42d47e0684f33ca02f19d6094ef859a8af237aaf645195ed477                                                          0.0s
 => => resolve docker.io/library/python:3.11@sha256:68a8863d0625f42d47e0684f33ca02f19d6094ef859a8af237aaf645195ed477                                                            0.0s
 => [internal] load build context                                                                                                                                               0.0s
 => => transferring context: 536.81kB                                                                                                                                           0.0s
 => CACHED [ 2/13] RUN pip install --no-cache --upgrade pip                                                                                                                     0.0s
 => CACHED [ 3/13] RUN groupadd --gid 10001 app &&     useradd -g app --uid 10001 --shell /usr/sbin/nologin --create-home --home-dir /app app                                   0.0s
 => CACHED [ 4/13] WORKDIR /app                                                                                                                                                 0.0s
 => [ 5/13] COPY --chown=app ./requirements.txt /app/requirements.txt                                                                                                           0.0s
 => [ 6/13] RUN pip install --no-cache -r requirements.txt                                                                                                                     65.5s
 => [ 7/13] COPY --chown=app . /app                                                                                                                                             0.2s
 => [ 8/13] RUN ln --symbolic /app/privaterelay/locales/fy-NL/ privaterelay/locales/fy                                                                                          0.1s
 => [ 9/13] RUN ln --symbolic /app/privaterelay/locales/sv-SE/ privaterelay/locales/sv                                                                                          0.3s
 => [10/13] RUN ln --symbolic /app/privaterelay/locales/pt-BR/ privaterelay/locales/pt                                                                                          0.1s
 => [11/13] RUN ln --symbolic /app/privaterelay/locales/es-ES/ privaterelay/locales/es                                                                                          0.1s
 => [12/13] COPY --chown=app .env-dist /app/.env                                                                                                                                0.0s
 => [13/13] RUN PHONES_ENABLED=True     API_DOCS_ENABLED=True     mkdir -p /app/staticfiles &&     python manage.py collectstatic --no-input -v 2                               1.1s
 => exporting to image                                                                                                                                                         11.5s
 => => exporting layers                                                                                                                                                         9.2s
 => => exporting manifest sha256:597451bc3d2ed902b1dd37fa4bad49addd44d76867d999af2645621099478173                                                                               0.0s
 => => exporting config sha256:df0737af6ffb7973a18242a9403a0b85e18a1e8ff6c20c1cd4c4150e4c3d6f02                                                                                 0.0s
 => => exporting attestation manifest sha256:21adb35f71f494d935b670a8c9317ddc070ad2a428103b5f3621531dad1f7e4e                                                                   0.0s
 => => exporting manifest list sha256:ac7e861bc204c3babae398645e06200abcceb70ffa678fae91777ad85443207e                                                                          0.0s
 => => naming to docker.io/library/relay:latest                                                                                                                                 0.0s
 => => unpacking to docker.io/library/relay:latest                                                                                                                              2.3s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/uh9fz23egkvphuei137uc10x0
fx-private-relay on  HEAD (694fdcf) via  v18.20.7 via 🐍 v3.13.2 took 1m19s at 15:42:05
❯ docker scout cves --only-severity critical local://relay:latest
    ✓ Image stored for indexing
    ✓ Indexed 697 packages
    ✓ Provenance obtained from attestation
    ✓ No vulnerable package detected


## Overview

                    │               Analyzed Image
────────────────────┼──────────────────────────────────────────────
  Target            │  local://relay:latest
    digest          │  ac7e861bc204
    platform        │ linux/arm64/v8
    provenance      │ git@github.com:mozilla/fx-private-relay.git
                    │  694fdcfb539b55f9fbe179fced570567c8a5f880
    vulnerabilities │    0C     0H     0M     0L
    size            │ 524 MB
    packages        │ 697


## Packages and Vulnerabilities

  No vulnerable packages detected

@cdupuis cdupuis added the question Further information is requested label Mar 4, 2025
@groovecoder
Copy link
Author

Yes:

 lcrouch  (e) relay  …  fx-private-relay   main ✚ 1 … 1 ⚑ 23  git checkout 694fdcf
HEAD is now at 694fdcfb5 fix OPTS-1488: update Dockerfile to new base image
 lcrouch  (e) relay  …  fx-private-relay   694fdcfb5 ✚ 1 … 1 ⚑ 23  docker build -t relay .
[+] Building 18.2s (19/19) FINISHED                                                                                                                                                                                      docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                                                                                                                                                     0.0s
 => => transferring dockerfile: 1.43kB                                                                                                                                                                                                   0.0s
 => [internal] load metadata for docker.io/library/python:3.11                                                                                                                                                                           0.6s
 => [auth] library/python:pull token for registry-1.docker.io                                                                                                                                                                            0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                        0.0s
 => => transferring context: 744B                                                                                                                                                                                                        0.0s
 => [ 1/13] FROM docker.io/library/python:3.11@sha256:68a8863d0625f42d47e0684f33ca02f19d6094ef859a8af237aaf645195ed477                                                                                                                   0.0s
 => [internal] load build context                                                                                                                                                                                                        1.4s
 => => transferring context: 4.05MB                                                                                                                                                                                                      1.1s
 => CACHED [ 2/13] RUN pip install --no-cache --upgrade pip                                                                                                                                                                              0.0s
 => CACHED [ 3/13] RUN groupadd --gid 10001 app &&     useradd -g app --uid 10001 --shell /usr/sbin/nologin --create-home --home-dir /app app                                                                                            0.0s
 => CACHED [ 4/13] WORKDIR /app                                                                                                                                                                                                          0.0s
 => CACHED [ 5/13] COPY --chown=app ./requirements.txt /app/requirements.txt                                                                                                                                                             0.0s
 => CACHED [ 6/13] RUN pip install --no-cache -r requirements.txt                                                                                                                                                                        0.0s
 => [ 7/13] COPY --chown=app . /app                                                                                                                                                                                                      8.9s
 => [ 8/13] RUN ln --symbolic /app/privaterelay/locales/fy-NL/ privaterelay/locales/fy                                                                                                                                                   0.1s
 => [ 9/13] RUN ln --symbolic /app/privaterelay/locales/sv-SE/ privaterelay/locales/sv                                                                                                                                                   0.1s
 => [10/13] RUN ln --symbolic /app/privaterelay/locales/pt-BR/ privaterelay/locales/pt                                                                                                                                                   0.1s
 => [11/13] RUN ln --symbolic /app/privaterelay/locales/es-ES/ privaterelay/locales/es                                                                                                                                                   0.1s
 => [12/13] COPY --chown=app .env-dist /app/.env                                                                                                                                                                                         0.0s
 => [13/13] RUN PHONES_ENABLED=True     API_DOCS_ENABLED=True     mkdir -p /app/staticfiles &&     python manage.py collectstatic --no-input -v 2                                                                                        2.5s
 => exporting to image                                                                                                                                                                                                                   4.2s
 => => exporting layers                                                                                                                                                                                                                  4.2s
 => => writing image sha256:969c968aa30b82bd8290fd37de66c08b44878b3318723a5692504798c8230ad2                                                                                                                                             0.0s
 => => naming to docker.io/library/relay                                                                                                                                                                                                 0.0s

What's Next?
  View a summary of image vulnerabilities and recommendations → docker scout quickview
 lcrouch  (e) relay  …  fx-private-relay   694fdcfb5 ✚ 1 … 1 ⚑ 23  docker scout cves --only-severity critical local://relay:latest
    i New version 1.16.1 available (installed version is 1.6.3) at https://github.com/docker/scout-cli
    ✓ Image stored for indexing
    ✓ Indexed 786 packages
    ✗ Detected 1 vulnerable package with 1 vulnerability


## Overview

                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  local://relay:latest
    digest          │  969c968aa30b
    platform        │ linux/arm64/v8
    vulnerabilities │    1C     0H     0M     0L
    size            │ 1.4 GB
    packages        │ 786


## Packages and Vulnerabilities

   1C     0H     0M     0L  django 3.2.16
pkg:pypi/django@3.2.16

    ✗ CRITICAL CVE-2023-31047 [Improper Input Validation]
      https://scout.docker.com/v/CVE-2023-31047
      Affected range : >=3.2a1
                     : <3.2.19
      Fixed version  : 3.2.19
      CVSS Score     : 9.3
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N



1 vulnerability found in 1 package
  LOW       0
  MEDIUM    0
  HIGH      0
  CRITICAL  1


What's Next?
  View base image update recommendations → docker scout recommendations local://relay:latest

@cdupuis
Copy link
Collaborator

cdupuis commented Mar 4, 2025

I wonder what is going on there:

mine:

=> => transferring context: 536.81kB 

    ✓ Indexed 697 packages

yours:

 => => transferring context: 4.05MB

    ✓ Indexed 786 packages

Could you also run the docker scout cves command with the --locations flag to see where this is coming from?

@groovecoder
Copy link
Author

Oooooh, it looks like I had an old .venv virtual env hanging out in my app directory with an older Django lib:

24: sha256:8e2b965f28c289a44269f8b1b96ba5f336e75ee0b19f9e2dd037d9db6e47ed36
/app/.venv/lib/python3.9/site-packages/Django-3.2.16.dist-info/METADATA (evident by)
/app/.venv/lib/python3.9/site-packages/Django-3.2.16.dist-info/RECORD (evident by)
/app/.venv/lib/python3.9/site-packages/Django-3.2.16.dist-info/top_level.txt (evident by)

When I removed that and re-built, the critical went away:

    ✓ Image stored for indexing
    ✓ Indexed 693 packages
    ✓ No vulnerable package detected


## Overview

                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  local://relay:latest
    digest          │  ba709e1aebd5
    platform        │ linux/arm64/v8
    vulnerabilities │    0C     0H     0M     0L
    size            │ 1.4 GB
    packages        │ 693


## Packages and Vulnerabilities

  No vulnerable packages detected

Thanks for the help!

@cdupuis
Copy link
Collaborator

cdupuis commented Mar 4, 2025

Thanks for the help!

for sure, any time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cdupuis cdupuis

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@groovecoder @cdupuis