search

Cingulara / openrmf-docs

Documentation on the OpenRMF application, including scripts to run the whole stack as well as just infrastructure with documentation on using the tool.
https://www.openrmf.io/
GNU General Public License v3.0
124 stars 26 forks source link

[BUG] Twistlock Vulnerability scan found multiple vulnerabilities to fix #295

Closed DaleBinghamSoteriaSoft closed 2 years ago

DaleBinghamSoteriaSoft commented 2 years ago

Describe the bug Attached and below are details from a Twistlock scan of the OpenRMF ISS 1.8.1 container. This is a standard part of getting containers approved for deployment in our devsecops pipeline. There's potential for admin/policy mitigation for some, maybe all, but any support from the development team to address the findings is welcomed.

To Reproduce Scan the containers thoroughly.

Expected behavior Cleaner scans including OS level information for Debian in the MS containers.

Additional context It looks like a good chunk of them are duplicative and may be remediated by updating the base container image from debian 9 to debian 9 update 1.

Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-audit:1.05.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/mongo:4.4.4-nonroot: total -
46, critical - 4, high - 42, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-audit:1.03.00:
total - 14, critical - 1, high - 13, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-checklist:1.03.00:
total - 14, critical - 1, high - 13, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-compliance:1.05.01
: total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-compliance:1.03.00
: total - 14, critical - 1, high - 13, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-controls:1.05.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-controls:1.04.00:
total - 14, critical - 1, high - 13, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/library/postgres:11.5: total - 126,
critical - 27, high - 99, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/library/nats:2.1.9: total - 20, critical
- 2, high - 18, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/synadia/prometheus-nats-exporter:0.6.2:
total - 21, critical - 2, high - 19, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/nats-client-metrics:1.0.1:
total - 52, critical - 6, high - 46, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-read:1.05.02:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-report:1.05.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-reports:1.03.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-save:1.05.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-score:1.04.00:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-scoring:1.05.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-system:1.03.00:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-template:1.05.04:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-msg-template:1.03.00:
total - 14, critical - 1, high - 13, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-api-upload:1.05.01:
total - 18, critical - 3, high - 15, medium - 0, low - 0
Vulnerabilities found for image
registry.tools.devops.ndev.jido.mil/cingulara/openrmf-web:1.05.05: total -
29, critical - 5, high - 24, medium - 0, low - 0

openrmf-twistlock-scan-results.zip

DaleBinghamSoteriaSoft commented 2 years ago

Based on this https://github.com/Cingulara/openrmf-docs/blob/develop/base-container-image/Dockerfile we are using 3.15.0 for the alpine base and there is a 3.16.1 to test across all the base image and then resulting final images. https://hub.docker.com/_/alpine?tab=tags

DaleBinghamSoteriaSoft commented 2 years ago

NGINX unprivileged also is at 1.23 so that should be updated https://github.com/Cingulara/openrmf-web/blob/master/Dockerfile

DaleBinghamSoteriaSoft commented 2 years ago

The other non-web non-NGINX containers use something like this https://github.com/Cingulara/openrmf-api-template/blob/develop/Dockerfile with the 1.04.00 base image getting the compiled code. So that has to be updated from above and then redone across all images.

DaleBinghamSoteriaSoft commented 2 years ago

Working these today as well as updates to the latest DISA templates.

DaleBinghamSoteriaSoft commented 2 years ago

alpine 3.16.2 latest base image on all components NGINX nginxinc/nginx-unprivileged:1.23-alpine

DaleBinghamSoteriaSoft commented 2 years ago

Closed with https://github.com/Cingulara/openrmf-docs/releases/tag/v1.8.2 latest release based on the super large list. Updated the base images to fix.