search

datalust / seq-tickets

Issues, design discussions and feature roadmap for the Seq log server
https://datalust.co/seq
97 stars 5 forks source link

Seq server docker image contains vunerable components #2122

Closed conradmicallef closed 7 months ago

conradmicallef commented 7 months ago

Seq is using vulnerable dependecies

2024-03-13T06:41:21.368Z INFO Vulnerability scanning is enabled 2024-03-13T06:41:32.959Z INFO Detected OS: ubuntu 2024-03-13T06:41:32.959Z INFO Detecting Ubuntu vulnerabilities... 2024-03-13T06:41:32.971Z INFO Number of language-specific files: 2 2024-03-13T06:41:32.971Z INFO Detecting dotnet-core vulnerabilities...

e6e2 (ubuntu 22.04)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

seqsvr/Seq.deps.json (dotnet-core)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────────┼───────────────┼──────────┼─────��──┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤ │ System.Text.RegularExpressions │ CVE-2019-0820 │ HIGH │ fixed │ 4.3.0 │ 4.3.1 │ dotnet: timeouts for regular expressions are not enforced │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-0820 │ └────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────��──────────────────────────────────────────────┘

Expected behavior Vulnerable dependencies should be fixed by depending on fixed libraries

Screenshots n/a

Environment (please complete the following information):

Additional context Additionally, is there a dockerfile and a build file perhaps so that this can be customised and we can generate our own Docker images based on lighter os such as alpine ?

KodrAus commented 7 months ago

Hi @conradmicallef :wave: This looks like a false positive based on simply scanning the deps.json file's metadata. The actual version of System.Text.RegularExpressions.dll packaged with Seq 2024.1.11028 is 8.0.1.

We don't currently ship standalone Linux binaries you can use to produce your own Seq images. The native code we ship dynamically links glibc, so won't be runnable on Alpine as far as I know, which requires statically linking musl.