feat(ci): add Docker Scout vulnerabilities scanning

gustavovalverde commented 2 months ago

Motivation

We must avoid publishing new releases without being fully aware of any new vulnerabilities that might be introduced into the image. This ensures we have visibility and can take the necessary actions, such as updating our READMEs, fixing the vulnerabilities, or implementing any other required measures.

Specifications & References

https://docs.docker.com/scout/explore/analysis/

Solution

Implement Docker Scout CLI with their GitHub Action: https://github.com/docker/scout-action
As this action is too verbose in PRs for our use case, just limit it to the Release PR until we can have a better implementation with https://github.com/docker/scout-action/issues/56
Record the results in Docker Scout in a prod, stage and dev environment for future reference https://docs.docker.com/reference/cli/docker/scout/environment/

Tests

I've triggered multiple changes in our Dockerfile, and in this PR title, to confirm the action's output (below) and behavior

Follow-up Work

Implementing policies for Docker Scout that are compliant with our supply chain requirements https://docs.docker.com/scout/policy/
https://github.com/docker/scout-action/issues/56

PR Author's Checklist

[x] The PR name will make sense to users.
[x] The PR provides a CHANGELOG summary.
[x] The solution is tested.
[x] The documentation is up to date.
[x] The PR has a priority label.

PR Reviewer's Checklist

[ ] The PR Author's checklist is complete.
[ ] The PR resolves the issue.

gustavovalverde commented 2 months ago

Need a workaround for: https://github.com/docker/scout-action/issues/16

github-actions[bot] commented 2 months ago

:mag: Vulnerabilities of `us-docker.pkg.dev/zfnd-dev-zebra/zebra/zebrad:pr-8871`

:package: Image Reference us-docker.pkg.dev/zfnd-dev-zebra/zebra/zebrad:pr-8871

digest	`sha256:d4f9be543302575ccca3903731fb4495eb349d67e2d8b5d228b1a1ad1eaaf4d5`
vulnerabilities
size	106 MB
packages	114

:package: Base Image debian:12-slim

also known as	`12.7-slim` `bookworm-20240904-slim` `bookworm-slim`
digest	`sha256:903d3225acecaa272bbdd7273c6c312c2af8b73644058838d23a8c9e6e5c82cf`
vulnerabilities

stdlib 1.19.8 (golang)

pkg:golang/stdlib@1.19.8
```dockerfile # Dockerfile (219:219) COPY --from=release /usr/local/bin/zebrad /usr/local/bin ```

Affected range	`<1.21.11`
Fixed version	`1.21.11`
EPSS Score	`0.06%`
EPSS Percentile	`28th percentile`

Description

The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.

Affected range	`<1.19.9`
Fixed version	`1.19.9`
EPSS Score	`0.26%`
EPSS Percentile	`66th percentile`

Description

Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.

Affected range	`<1.19.10`
Fixed version	`1.19.10`
EPSS Score	`0.08%`
EPSS Percentile	`35th percentile`

Description

On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors. If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.04%`
EPSS Percentile	`16th percentile`

Description

Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.04%`
EPSS Percentile	`16th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`<1.21.12`
Fixed version	`1.21.12`
EPSS Score	`0.04%`
EPSS Percentile	`16th percentile`

Description

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Affected range	`<1.21.8`
Fixed version	`1.21.8`
EPSS Score	`0.04%`
EPSS Percentile	`11th percentile`

Description

The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.

Affected range	`<1.21.9`
Fixed version	`1.21.9`
EPSS Score	`0.04%`
EPSS Percentile	`14th percentile`

Description

An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection.

Affected range	`<1.20.0`
Fixed version	`1.20.0`
EPSS Score	`0.07%`
EPSS Percentile	`32nd percentile`

Description

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

Affected range	`<1.20.11`
Fixed version	`1.20.11`
EPSS Score	`0.10%`
EPSS Percentile	`42nd percentile`

Description

The filepath package does not recognize paths with a \??\ prefix as special. On Windows, a path beginning with \??\ is a Root Local Device path equivalent to a path beginning with \\?\. Paths with a \??\ prefix may be used to access arbitrary locations on the system. For example, the path \??\c:\x is equivalent to the more common path c:\x. Before fix, Clean could convert a rooted path such as \a\..\??\b into the root local device path \??\b. Clean will now convert this to .\??\b. Similarly, Join(\, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path \??\b. Join will now convert this to \.\??\b. In addition, with fix, IsAbs now correctly reports paths beginning with \??\ as absolute, and VolumeName correctly reports the \??\ prefix as a volume name. UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with \?, resulting in filepath.Clean(\?\c:) returning \?\c: rather than \?\c:\ (among other effects). The previous behavior has been restored.

Affected range	`<1.20.10`
Fixed version	`1.20.10`
EPSS Score	`81.33%`
EPSS Percentile	`98th percentile`

Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Affected range	`<1.20.10`
Fixed version	`1.20.10`
EPSS Score	`0.25%`
EPSS Percentile	`65th percentile`

Description

A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.

Affected range	`<1.22.7`
Fixed version	`1.22.7`
EPSS Score	`0.19%`
EPSS Percentile	`56th percentile`

Description

Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.

Affected range	`<1.19.9`
Fixed version	`1.19.9`
EPSS Score	`0.14%`
EPSS Percentile	`50th percentile`

Description

Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.

Affected range	`<1.19.9`
Fixed version	`1.19.9`
EPSS Score	`0.14%`
EPSS Percentile	`50th percentile`

Description

Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.

github-actions[bot] commented 2 months ago

Overview

Image reference	`zfnd/zebra:latest`	`us-docker.pkg.dev/zfnd-dev-zebra/zebra/zebrad:pr-8871`
- digest	`cbb3851de039`	`d4f9be543302`
- tag	`latest`	`pr-8871`
- provenance	https://github.com/ZcashFoundation/zebra/commit/bf4d253897bb3d67cecea6e73562cbe111e2b7f2	https://github.com/ZcashFoundation/zebra/commit/6dbc86e75e4c2c61cdc96bb9e0e690a5fcfc5243
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	106 MB	106 MB (+100 kB)
- packages	114	114
Base Image	`debian:bookworm-slim` also known as: • `12-slim`	`debian:bookworm-slim` also known as: • `12-slim` • `12.7-slim` • `bookworm-20240904-slim`
- vulnerabilities

Environment Variables (1 changes)

> * `+` 1 added > * _7 unchanged_ ```diff +APP_HOME=/opt/zebrad FEATURES=default-release-binaries GID=10001 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin UID=10001 USER=zebra ZEBRA_CONF_DIR=/etc/zebrad ZEBRA_CONF_FILE=zebrad.toml ```

Labels (3 changes)

> * `±` 3 changed > * _5 unchanged_ ```diff -org.opencontainers.image.created=2024-08-28T12:08:34.422Z +org.opencontainers.image.created=2024-09-19T11:30:03.656Z org.opencontainers.image.description=Zcash - Financial Privacy in Rust 🦓 org.opencontainers.image.licenses=Apache-2.0 -org.opencontainers.image.revision=bf4d253897bb3d67cecea6e73562cbe111e2b7f2 +org.opencontainers.image.revision=6dbc86e75e4c2c61cdc96bb9e0e690a5fcfc5243 org.opencontainers.image.source=https://github.com/ZcashFoundation/zebra org.opencontainers.image.title=zebra org.opencontainers.image.url=https://github.com/ZcashFoundation/zebra -org.opencontainers.image.version=1.9.0 +org.opencontainers.image.version=pr-8871 ```

Packages and Vulnerabilities (9 package changes and 0 vulnerability changes)

> * :infinity: 9 packages changed > * 105 packages unchanged

Changes for packages of type deb (9 changes)

	Package	Version `zfnd/zebra:latest`	Version `us-docker.pkg.dev/zfnd-dev-zebra/zebra/zebrad:pr-8871`
:infinity:	base-files	`12.4+deb12u6`	`12.4+deb12u7`
:infinity:	curl	`7.88.1-10+deb12u6`	`7.88.1-10+deb12u7`
:infinity:	libc-bin	`2.36-9+deb12u7`	`2.36-9+deb12u8`
:infinity:	libc6	`2.36-9+deb12u7`	`2.36-9+deb12u8`
:infinity:	libcurl4	`7.88.1-10+deb12u6`	`7.88.1-10+deb12u7`
:infinity:	libssl3	`3.0.13-1~deb12u1`	`3.0.14-1~deb12u2`
:infinity:	libsystemd0	`252.26-1~deb12u2`	`252.30-1~deb12u2`
:infinity:	libudev1	`252.26-1~deb12u2`	`252.30-1~deb12u2`
:infinity:	openssl	`3.0.13-1~deb12u1`	`3.0.14-1~deb12u2`

github-actions[bot] commented 1 month ago

Recommended fixes for image `us-docker.pkg.dev/zfnd-dev-zebra/zebra/zebrad:pr-8871`

Base image is debian:bookworm-slim

Name	bookworm-20240904-slim
Digest	sha256:903d3225acecaa272bbdd7273c6c312c2af8b73644058838d23a8c9e6e5c82cf
Vulnerabilities
Pushed	2 weeks ago
Size	29 MB
Packages	125
Flavor	debian
OS	12
Slim	✅

The base image is also available under the supported tag(s): 12-slim, 12.7-slim, bookworm-20240904-slim

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed
`stable-slim` Tag is preferred tag Also known as: stable-20240904-slim	Benefits: Same OS detected Tag is preferred tag Tag was pushed more recently Image has similar size Image has same number of vulnerabilities Image contains equal number of packages Tag is using slim variant stable-slim is the fourth most popular tag with 46K pulls per month Image details: Size: 29 MB Flavor: debian OS: 12 Slim: ✅	2 weeks ago
`stable` Image has same number of vulnerabilities Also known as: stable-20240904	Benefits: Same OS detected Tag was pushed more recently Image has same number of vulnerabilities Image contains equal number of packages stable is the 7th most popular tag with 32K pulls per month Image details: Size: 50 MB Flavor: debian OS: 12	2 weeks ago
`bookworm` Tag is latest Also known as: 12.7 12 bookworm-20240904 latest	Benefits: Same OS detected Tag is latest Image has same number of vulnerabilities Image contains equal number of packages bookworm is the 10th most popular tag with 14K pulls per month Image details: Size: 50 MB Flavor: debian OS: 12	2 weeks ago
`sid-slim` Major OS version update Also known as: sid-20240904-slim	Benefits: Same OS detected Tag was pushed more recently Image has similar size Major OS version update Image contains similar number of packages Tag is using slim variant sid-slim is the 9th most popular tag with 15K pulls per month Image details: Size: 32 MB Flavor: debian OS: 13 Slim: ✅	2 weeks ago

ZcashFoundation / zebra