Latest Debian 12.x fixes not deployed

[MikeMcC399]

Current behavior

Current Cypress Docker images are missing available fixes for Debian critical vulnerabilities

• CVE-2024-32002
• CVE-2024-45490
• CVE-2024-45491
• CVE-2024-45492

relating to

• git
• git-man
• libexpat1

Desired behavior

Cypress Docker images should be published with up-to-date available Debian fixes.

Resolved

• [x] cypress/factory:latest
• [x] cypress/base:latest
• [x] cypress/browsers:latest
• [x] cypress/included:latest

Test code to reproduce

trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/base:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/browsers:latest
trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/included:latest

Cypress Docker versions

docker run --rm --entrypoint cat cypress/factory:latest /etc/debian_version
docker run --rm --entrypoint cat cypress/base:latest /etc/debian_version
docker run --rm --entrypoint cat cypress/browsers:latest /etc/debian_version
docker run --rm --entrypoint cat cypress/included:latest /etc/debian_version

Image	Debian	Published	Version
cypress/factory	12.7	Sep 10, 2024	4.2.0
cypress/base	12.6	Aug 26, 2024	20.17.0
cypress/browsers	12.7	Sep 25, 2024	node-20.17.0-chrome-129.0.6668.70-1-ff-130.0.1-edge-129.0.2792.52-1
cypress/included	12.7	Sep 25, 2024	13.15.0

Debug Logs

cypress/factory:latest (debian 12.7)

Total: 5 (CRITICAL: 5)

┌───────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────┬─────────────────────────────────────────────────────────────┐
│  Library  │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version    │                            Title                            │
├───────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ git       │ CVE-2024-32002 │ CRITICAL │ fixed  │ 1:2.39.2-1.1      │ 1:2.39.5-0+deb12u1 │ git: Recursive clones RCE                                   │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-32002                  │
├───────────┤                │          │        │                   │                    │                                                             │
│ git-man   │                │          │        │                   │                    │                                                             │
│           │                │          │        │                   │                    │                                                             │
├───────────┼────────────────┤          │        ├───────────────────┼────────────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat1 │ CVE-2024-45490 │          │        │ 2.5.0-1           │ 2.5.0-1+deb12u1    │ libexpat: Negative Length Parsing Vulnerability in libexpat │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45490                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45491 │          │        │                   │                    │ libexpat: Integer Overflow or Wraparound                    │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45491                  │
│           ├────────────────┤          │        │                   │                    ├─────────────────────────────────────────────────────────────┤
│           │ CVE-2024-45492 │          │        │                   │                    │ libexpat: integer overflow                                  │
│           │                │          │        │                   │                    │ https://avd.aquasec.com/nvd/cve-2024-45492                  │
└───────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────┴─────────────────────────────────────────────────────────────┘

Other

[MikeMcC399]

• PR #1218 fixes this issue for cypress/factory

[MikeMcC399]

cypress/factory:latest (cypress/factory:4.2.1) is now resolved

$ trivy image --ignore-unfixed --pkg-types os --scanners vuln --severity CRITICAL cypress/factory:latest
2024-09-30T18:06:37+02:00       INFO    [vuln] Vulnerability scanning is enabled
2024-09-30T18:07:03+02:00       INFO    Detected OS     family="debian" version="12.7"
2024-09-30T18:07:03+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=283
2024-09-30T18:07:03+02:00       WARN    Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.

cypress/factory:latest (debian 12.7)

Total: 0 (CRITICAL: 0)

[MikeMcC399]

Re-opening as this issue is only partially fixed

Image	PR	Status
cypress/factory:latest	#1218	Fixed
cypress/base:latest	#1224	Open
cypress/browsers:latest	#1224	Open
cypress/included:latest	#1224	Open

cypress/base:latest should be fixable later this week if Node.js goes ahead with their plan to release Node.js v20.18.0, which will allow a rebuild of cypress/base.

According to published policy, Cypress Docker images are frozen after publication, so the contents of cypress/base:20.17.0 cannot be replaced, and a replacement can only be carried out by publishing a separate image for a later version of Node.js.

[MikeMcC399]

Re-run of failed job in https://app.circleci.com/pipelines/github/cypress-io/cypress-docker-images?branch=master needed.

• See also https://github.com/cypress-io/cypress-docker-images/pull/1224#issuecomment-2392110706

[MikeMcC399]

@jennifer-shehane

Could you please rerun the failed job in https://app.circleci.com/pipelines/github/cypress-io/cypress-docker-images?branch=master ? I don't have any privilege to do this.

[MikeMcC399]

@jennifer-shehane

Are you able to rerun the failed job? Or has something happened to you or the organization to prevent this being done? I'm in the dark as to why this hasn't been done yet.

[MikeMcC399]

• This issue is now resolved due to PR https://github.com/cypress-io/cypress-docker-images/pull/1224 following on from https://github.com/cypress-io/cypress-docker-images/pull/1218

trivy image --ignore-unfixed --pkg-types os --scanners vuln cypress/factory:4.2.2
trivy image --ignore-unfixed --pkg-types os --scanners vuln cypress/base:20.18.0
trivy image --ignore-unfixed --pkg-types os --scanners vuln cypress/browsers:node-20.18.0-chrome-129.0.6668.89-1-ff-131.0-edge-129.0.2792.65-1
trivy image --ignore-unfixed --pkg-types os --scanners vuln cypress/included:13.15.0

shows no remaining fixed Debian vulnerabilities missing in current latest Cypress Docker images:

cypress/factory:4.2.2 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

cypress/base:20.18.0 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

cypress/browsers:node-20.18.0-chrome-129.0.6668.89-1-ff-131.0-edge-129.0.2792.65-1 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

cypress/included:13.15.0 (debian 12.7)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)