Launch a respin of the image

echoix commented 1 week ago

There was a CVE (High severity) on a dependency hashicorp/go-getter that is fixed in their version 1.7.5.

Using trivy to scan a container, we can see that this image contains the version v1.7.1.

If we want terragrunt, we now know that their latest release uses v1.7.5. See https://github.com/gruntwork-io/terragrunt/releases/tag/v0.59.6

My request is: is it possible to relaunch a new build without a terraform release, ideally manually, in order to get a new image with a fixed version?

See failures similar to this one https://github.com/oxsecurity/megalinter/actions/runs/9704027962/job/26783423895?pr=3703 since yesterday.

ozbillwang commented 1 week ago

thanks, seems the trivy scan in my build doesn't report this CVE (but it reports something else)

https://app.circleci.com/pipelines/github/alpine-docker/terragrunt/1082/workflows/5377ebf5-bcd7-443e-9939-1384ab345e46/jobs/1375

ozbillwang commented 1 week ago

use the sample command in your link, I duplicated the check report locally

trivy image  --format table --exit-code  1 --ignore-unfixed --vuln-type  os,library --scanners  vuln --severity  CRITICAL,HIGH --timeout  10m0s   alpine/terragrunt

Let me check


alpine/terragrunt (alpine 3.20.0)

Total: 0 (HIGH: 0, CRITICAL: 0)

bin/terraform (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-6257 │ HIGH     │ v1.7.4            │ 1.7.5         │ hashicorp/go-getter: Arbitrary command execution through │
│                                │               │          │                   │               │ local git config file                                    │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6257                │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/boilerplate (gobinary)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────┐
│            Library             │    Vulnerability    │ Severity │ Installed Version │     Fixed Version      │                          Title                           │
├────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-6257       │ HIGH     │ v1.7.4            │ 1.7.5                  │ hashicorp/go-getter: Arbitrary command execution through │
│                                │                     │          │                   │                        │ local git config file                                    │
│                                │                     │          │                   │                        │ https://avd.aquasec.com/nvd/cve-2024-6257                │
├────────────────────────────────┼─────────────────────┤          ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────┤
│ google.golang.org/grpc         │ GHSA-m425-mq94-257g │          │ v1.50.1           │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability                 │
│                                │                     │          │                   │                        │ https://github.com/advisories/GHSA-m425-mq94-257g        │
└────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/terragrunt (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                          Title                           │
├────────────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2024-6257 │ HIGH     │ v1.7.4            │ 1.7.5         │ hashicorp/go-getter: Arbitrary command execution through │
│                                │               │          │                   │               │ local git config file                                    │
│                                │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6257                │
└────────────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

echoix commented 1 week ago

Ah, the grpc one is already in our trivyignore, as we couldn't do anything about it at the time.

ozbillwang commented 1 week ago

frankly I am not sure how to fix this CVE.

$ docker run -ti --rm alpine/terragrunt terraform --version
Terraform v1.9.0
on linux_amd64

$ docker run -ti --rm alpine/terragrunt terragrunt --version
terragrunt version v0.59.6

Both terraform and terragrunt versions are latest in alpine/terragrunt, maybe you need reach the their owners for help?

alpine-docker / terragrunt

Launch a respin of the image #37