Base image used by APPS PLAID is not supported

[nutjob4life]

Vulnerability

"APPS PLAID" uses as its base Docker image php:5.6-apache-jessie.

Debian Linux jessie reached end-of-life on 2018-06-17 and end of long-term support on 2020-06-30. It has received no security updates since then.

PHP 5.6 reached end of life on 2019-01-01 and has no long-term support. It has received no security updates since then.

Upgrading the base image of "APPS PLAID" is strenuously recommended.

Software Version

main

[jordanpadams]

@nutjob4life how critical do you think this is? should we do this now? would it introduce a security vulnerability to move forward without this upgrade?

[nutjob4life]

I think this is pretty high priority. PHP 8.1.0–8.1.1, PHP 7.4.26–7.4.27, and PHP 7.3.3 are considered "safe" (at least as far as "safe" goes for something as horrible as PHP).

All PHP < 7 has CVSS scores of 8.2 to 10.0 (extremely unsafe). See this chart for details.

The Linux distribution being out-of-date is not as pressing—but is easier to fix.

[tloubrieu-jpl]

@gary for testing this ticket you need to build the application as decribed in the README https://github.com/NASA-PDS/PLAID/blob/main/deployment-docs/development.md

And check that there is no vulnerability in the build docker image. You can use something like that https://docs.docker.com/engine/scan/

[gxtchen]

@tloubrieu-jpl @jordanpadams @viviant100 Can you provide a scan report, personal docker account does not support Vulnerability scanning.

[jordanpadams]

@gxtchen are you sure? from this image on the top of the page, looks like everyone should get 10 image scans:

[tloubrieu-jpl]

Hi @gxtchen ,

I created an account on https://snyk.io/ (using my github credentials).

Then in the command line:

docker scan --login docker scan plaid

Then I had this report (which does not look perfect...)

snyk_scan_plaid_report.txt.zip