search

Azure / Azurite

A lightweight server clone of Azure Storage that simulates most of the commands supported by it with minimal dependencies
MIT License
1.83k stars 325 forks source link

Docker image fails with multiple critical CVSS vulnerabilities #388

Open jacek99 opened 4 years ago

jacek99 commented 4 years ago

We tried importing the Docker Azurite image, but our security tool (Twistlock) scans it for vulnerabilities and rejected the image:

Scanning mcr.microsoft.com/azure-storage/azurite...
Vulnerabilities
---------------
Image                                             ID                  CVE                   Package              Version      Severity    Status                CVSS
-----                                             --                  ---                   -------              -------      --------    ------                ----
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-14697        musl                 1.1.20-r4    critical    fixed in 1.1.20-r5    9.8
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1184    https-proxy-agent    2.2.1        high        fixed in >=2.2.3      7
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-15847        gcc                  8.3.0-r0     high                              7.5
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-13173        fstream              1.0.11       high        fixed in >=1.0.12     7.5
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-1549         openssl              1.1.1b-r1    medium      fixed in 1.1.1d-r0    5
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-1563         openssl              1.1.1b-r1    medium      fixed in 1.1.1d-r0    4.3
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-1547         openssl              1.1.1b-r1    low         fixed in 1.1.1d-r0    1.9
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    CVE-2019-1552         openssl              1.1.1b-r1    low                               3.3
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1084    mem                  1.1.0        low         fixed in >=4.0.0      1
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1436    npm                  6.4.1        low         fixed in >=6.13.3     1
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1437    npm                  6.4.1        low         fixed in >=6.13.4     1
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1427    bin-links            1.1.2        low         fixed in >=1.1.5      1
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1435    bin-links            1.1.2        low         fixed in >=1.1.5      1
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1438    bin-links            1.1.2        low         fixed in >=1.1.6      1
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    NODE-SECURITY-1434    npm                  6.4.1        low         fixed in >=6.13.3     1
Vulnerability threshold check results: FAIL

Compliance
----------
Image                                             ID                  Severity    Description
-----                                             --                  --------    -----------
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    high        (CIS_Docker_CE_v1.1.0 - 4.1) Image should be created with a non-root user
mcr.microsoft.com/azure-storage/azurite:latest    986b74f03e8233a2    high        Private keys stored in image
************************************************************************************************************

Pls correct critical vulnerabilities and issues in the image

XiaoningLiu commented 4 years ago

Thanks for reporting! It seems we should update our base image used by docker build. Before we update the official image, you can try to build your own and update the base image in Dockerfile we used.

Is the tool Twistlock is open source? We'd like to integrate tools into our release pipeline to do aotumatically check in the future.

skharab-anaplan commented 3 years ago

Hi @XiaoningLiu Thought it's an old issue and versions are older as well but I am trying to build azurite container with 3.14.0 and I can see one critical, one high and one medium vulnerabilities in the latest scan by trivy scan. Can you please suggest what can be done as our build tool is rejecting this due to these vulnerabilities and it's critical for us to get these resolved. Security team has suggested that we raise this with official maintainer rather suppress in pipeline.

command used trivy image --ignore-unfixed mcr.microsoft.com/azure-storage/azurite:3.14.0

image scan.txt

XiaoningLiu commented 3 years ago

Hi @skharab-anaplan, all 3 reported libraries are Azurite indirect dependencies.

The CRITIAL one for apk-tools should from the base docker image we are using. This should be auto resolved by Azurite's next docker image build and release.

The other 2 requires dependencies version bump up in package.json. Just check if you or others want to have a quick contribution?

skharab-anaplan commented 3 years ago

Hi @skharab-anaplan, all 3 reported libraries are Azurite indirect dependencies.

The CRITIAL one for apk-tools should from the base docker image we are using. This should be auto resolved by Azurite's next docker image build and release.

The other 2 requires dependencies version bump up in package.json. Just check if you or others want to have a quick contribution?

I will be more than happy to do that. Let me create PR for that. Is there are docs that I need to follow?