search

Azure / Azurite

A lightweight server clone of Azure Storage that simulates most of the commands supported by it with minimal dependencies
MIT License
1.8k stars 320 forks source link

Security failures on latest Docker image #445

Open jacek99 opened 4 years ago

jacek99 commented 4 years ago

The latest Docker image fails a Twistlock security scan due to multiple critical/high CVEs in it:

''' Scanning mcr.microsoft.com/azure-storage/azurite:latest... Vulnerabilities

Image ID CVE Package Version Severity Status CVSS

mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-14697 musl 1.1.20-r4 critical fixed in 1.1.20-r5 9.8 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-15606 node 10.15.3 critical 9.8 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-15605 node 10.15.3 critical 9.8 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1184 https-proxy-agent 2.2.1 high fixed in >=2.2.3 7 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-13173 fstream 1.0.11 high fixed in >=1.0.12 7.5 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-15847 gcc 8.3.0-r0 high 7.5 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-15604 node 10.15.3 high 7.5 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-1549 openssl 1.1.1b-r1 medium fixed in 1.1.1d-r0 5.3 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-1547 openssl 1.1.1b-r1 medium fixed in 1.1.1d-r0 4.7 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-1551 openssl 1.1.1b-r1 medium fixed in 1.1.1d-r2 5.3 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1427 bin-links 1.1.2 low fixed in >=1.1.5 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1435 bin-links 1.1.2 low fixed in >=1.1.5 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1438 bin-links 1.1.2 low fixed in >=1.1.6 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1179 minimist 0.0.8 low fixed in >=0.2.1 <1.0.0 || >=1.2.3 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1084 mem 1.1.0 low fixed in >=4.0.0 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1434 npm 6.4.1 low fixed in >=6.13.3 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1436 npm 6.4.1 low fixed in >=6.13.3 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1437 npm 6.4.1 low fixed in >=6.13.4 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a NODE-SECURITY-1179 minimist 1.2.0 low fixed in >=0.2.1 <1.0.0 || >=1.2.3 1 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-1552 openssl 1.1.1b-r1 low 3.3 mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a CVE-2019-1563 openssl 1.1.1b-r1 low fixed in 1.1.1d-r0 3.7 Vulnerability threshold check results: FAIL

Compliance

Image ID Severity Description

mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a high (CIS_Docker_CE_v1.1.0 - 4.1) Image should be created with a non-root user mcr.microsoft.com/azure-storage/azurite:latest b20240710b5f4a1a high Private keys stored in image

'''

blueww commented 4 years ago

@jacek99 Thanks for reporting this issue! We will look into it.

XiaoningLiu commented 4 years ago

v3.8.0 updated base docker image to latest, removed testing private key from docker image and removed execuation permission when building docker. Please check again.

I cannot access to Twistlock scan tool, thus couldn't have latest scan report based on latest build. It's great if any suggestions for other replacement of docker image scan tools.