search

actions / runner

The Runner for GitHub Actions :rocket:
https://github.com/features/actions
MIT License
4.89k stars 959 forks source link

Github actions package vulnerabilities CVE-2021-44531, CVE-2018-8292, CVE-2019-0980, CVE-2019-0820 #2693

Open pavellysianok opened 1 year ago

pavellysianok commented 1 year ago

Describe the bug I would like to build a Docker image with GitHub Actions. After building this image I check it using the Twistlock scanner and I can see vulnerabilities according to the list in the To Reproduce step.

The Dockerfile just contain these commands:

RUN curl -Ls https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz | tar xz \
    && sudo ./bin/installdependencies.sh

To Reproduce Run Twistlock security scanner: Result of security scan:

system.text.regularexpressions.dll NVD - CVE-2019-0820 - 7 pcs

Paths: /home/github/bin/Sdk.deps.json /home/github/bin/Runner.Worker.deps.json /home/github/bin/Runner.Sdk.deps.json /home/github/bin/Runner.Common.deps.json /home/github/bin/Runner.PluginHost.deps.json /home/github/bin/Runner.Listener.deps.json /home/github/bin/Runner.Plugins.deps.json

system.private.uri.dll, NVD - CVE-2019-0980 - 21 pcs

Paths: /home/github/bin/Runner.Worker.deps.json /home/github/bin/Runner.PluginHost.deps.json /home/github/bin/Runner.Listener.deps.json /home/github/bin/Runner.Plugins.deps.json /home/github/bin/Sdk.deps.json /home/github/bin/Runner.Common.deps.json /home/github/bin/Runner.Sdk.deps.json

system.net.http.dll, NVD - CVE-2018-8292 - 7 pcs

Paths: /home/github/bin/Runner.Common.deps.json /home/github/bin/Runner.PluginHost.deps.json /home/github/bin/Sdk.deps.json /home/github/bin/Runner.Worker.deps.json /home/github/bin/Runner.Plugins.deps.json /home/github/bin/Runner.Listener.deps.json /home/github/bin/Runner.Sdk.deps.json

Application, node js NVD - CVE-2021-44531 - 4 pcs

Paths: /home/github/externals/node16_alpine/bin/node /home/github/externals/node16/bin/node /home/github/externals/node12_alpine/bin/node /home/github/externals/node12/bin/node

Expected behavior I would like to pass the security scan without high CVEs - Twistlock scanner is a part of CI - image with vulnerabilities doesn't build.

Runner Version and Platform

2.304, 2.305

OS of the machine running the runner? -Linux (debian:stable-slim )

What's not working?

image

Job Log Output

No need.

Runner and Worker's Diagnostic Logs

No need.

ChristopherHX commented 1 year ago

Just a note about common false positives of dotnet dependencies, I'm not affiliated with this Project / GitHub.

Some security scanners seem to be fixed, but not all.

Twistlock has some false positive dotnet high vulnerabilties If you open v2.301.1 on windows (It's an older runner than of your report) image

https://github.com/advisories/GHSA-cmhx-cq75-c4mj has been fixed long before 6.0.5.

The files Twistlock uses to detect the vulnerability of dotnet doesn't mean the version is deployed. A linux program might be unable to view fileversion of a PE dll, but windows can.

So your scanner can only ever find nothing if someone manually edits all *.deps.json, then nobody would know if the application is still runnable šŸ˜….

The node vulnerability isn't affected by my comment, GitHub should update node16 more often.