onedr0p
commented
1 month ago @jpcoenen @ag-adampike @verkaufer any chance someone from the 1password team can take a look at this!?
Open rwenz3l opened 5 months ago
onedr0p
commented
1 month ago @jpcoenen @ag-adampike @verkaufer any chance someone from the 1password team can take a look at this!?
onedr0p
commented
4 weeks ago I scanned the docker image with trivy and discovered this
1password/connect-api:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)
bin/connect-api (gobinary)
Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 16, HIGH: 4, CRITICAL: 1)
1password/connect-sync:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)
bin/connect-sync (gobinary)
Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 4, CRITICAL: 1)There are quite a bit of these that could be resolved by updating deps, also I don't see why these containers cannot use scratch or distroless containers instead of debian which would lessen the attack surface.
Will the 1Password team ever address these vulnerabilities?
onedr0p
commented
4 weeks ago cc @ag-rdoucette
rwenz3l
commented
4 weeks ago There has been no activity in this Repository for quite a while. I feel like the people at 1Password are simply focusing on other things. I'm not sure how many people have this deployed, but IMO it's a security risk running this as it is today. I stopped bothering with the connector due to the inactivity and use vault instead.
onedr0p
commented
4 weeks ago Yeah I got that impression as well. It's a bummer they ignore this and are flakey supporting their OSS projects overall. Hopefully something changes and they have time to focus on their public facing projects someday.
edif2008
commented
3 weeks ago Hey folks! 👋🏻
Thank you for your patience and for expressing your concerns.
I'm happy to announce that we've just released Connect 1.7.3, which updates the dependencies and the images used to build Connect. Let me know if you have any other questions.
onedr0p
commented
3 weeks ago Thanks @edif2008 and team!
As mentioned in #79, I found that the containers are quite old and use Debian 11.7 and Go 1.20.6.
It would be very much appreciated if you could upgrade the container image itself, as well as the used toolchain for it, mainly for security reasons.
Go1.22 is now released, which marks 1.20 as no longer supported. I'm sure there is also a bunch of dependencies used with the connect-server, which may contain vulnerabilities.
The docker images appears to be using a debian base-image at version 11.7, 11.8 was released in October 2023.