Vulnerabilities and Driver Updates in Cloudbeaver

[YuraKril]

I have identified several vulnerabilities in Cloudbeaver version 23.3.3. I noticed that you plan to update the Ubuntu base image to version 23.10 in the next release, which is a positive step. However, I would like to suggest an additional improvement to enhance security and manage vulnerabilities more effectively.

Recommendation: Consider updating all drivers to their current latest versions. Instead of embedding all drivers as *.jar files within the Docker image, I propose implementing a functionality that allows users to download and enable drivers after the project build.

This approach offers several benefits:

Reduced Image Size: By not including all drivers in the initial Docker image, the size of the image can be minimized.

Enhanced Security: Allowing users to enable and download specific drivers after the build ensures that only necessary components are included, reducing potential vulnerabilities.

Flexibility: Users can select and install only the drivers they need, providing greater customization and reducing unnecessary dependencies.

Implementation: Introduce a feature in Cloudbeaver that enables users to manage and download drivers post-build. This could involve a dedicated interface or command-line options for driver management.

I believe this improvement will contribute to a more secure and efficient system. Thank you for considering this recommendation,

[EvgeniaBzzz]

Hi @YuraKril!

Driver management GUI is available in CloudBeaver Enterprise. You can explore it in the 2-week trial version.

For CloudBeaver Community Edition you can use this article to manage drivers.

Thank you for your wish to make CloudBeaver better!

[YuraKril]

Hi @EvgeniaBzzz

Thank you for providing information about the driver management GUI in CloudBeaver Enterprise and the article for managing drivers in the Community Edition.

While I'm aware of the available solutions for managing drivers through UI, my concern primarily revolves around optimizing the Docker image size and enhancing security by avoiding vulnerabilities reported during image scanning.

I'm suggesting a solution where users can dynamically manage driver versions, not necessarily limited to the UI. One approach could be the introduction of environment parameters, allowing users to specify driver names and versions. These drivers could then be downloaded on application start or reload in CLI mode.

This proposed procedure would offer a more streamlined way to manage vulnerabilities across all supported drivers and enable users to install the required driver versions as needed.

I appreciate your attention to this matter and would love to discuss potential implementations further.

[EvgeniaBzzz]

We understand your concern, but at the same time, allow us to explain the following.

We take security matters seriously. We regularly conduct image scanning for vulnerabilities and currently do not identify any critical issues. And that's why embedded drivers are disabled by default.

We aim to create a user-friendly product, so we enable drivers to simplify the user login experience. Currently, the most popular drivers are enabled, and we regularly update them. If there are any specific issues with the drivers, please let us know.

Users have the option to rebuild the image from source if it is important to them.

[EvgeniaBzzz]

We're grateful for your support and engagement with our project.