Open anurag-deshpande opened 7 months ago
milosgajdos
commented
7 months ago Can the team provide a timeline when these packages will be updated?
We can't, no. Not at the moment. The main goal is to make a v3 release so we can deprecate v2.8 branch.
thaJeztah
commented
7 months ago Are these Go dependencies, or dependencies from the base image? If they're in the base image, then possibly rebuilding the image (and/or updating alpine version) would get rid of those.
That said, the registry is a static binary, so not sure if all of those are directly relevant;
docker run -it --rm registry:2.8.3 sh -c 'ldd /bin/registry'
/lib/ld-musl-aarch64.so.1: /bin/registry: Not a valid dynamic programAccording to Docker Scout there are no critical vulnerabilities found in 2.8.3
There are some high vulnerabilities found in the Go runtime, none exceeding 7.5 score and some openssl which also don't cross 7.5 threshold.
thaJeztah
commented
7 months ago I think we should consider doing a 2.8.4 patch release though; there's at least 1 fix that is kinda important; also an update to Go and golang.org/x/net that fixes a vulnerability;
anurag-deshpande
commented
7 months ago I ran the registry container instance with image from registry 2.8.3 and listed all packages within it. Below is the list, which we are getting with the same.
# apk list
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
alpine-baselayout-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.14.0-r0 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
busybox-binsh-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r5 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcrypto3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
musl-1.2.4-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.4-r0 x86_64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
scanelf-1.3.7-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
ssl_client-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
zlib-1.2.13-r1 x86_64 {zlib} (Zlib) [installed]
/ #Out of these, our scanner identified Zlib 1.2.13 is having a vulnerability with CVSS score of 9.8.
Also, other packages identified with issues: OpenSSL 3.1.0 package have highest CVE score of 7.8. busybox 1.36.0 package also has a CVE score of 7.8.
Can team suggest if these are part of container? And when would they be fixed/patched?
milosgajdos
commented
7 months ago Can you please format your message properly? I'm sorry but it's almost unreadable.
anurag-deshpande
commented
7 months ago Hi @milosgajdos/Team, reformatted my message below -
I ran a registry container instance with image from registry 2.8.3. As registry container is alpine based, I used the apk package manager to list all packages present inside the container instance.
I ran the apk list command to list all packages. Below is the output of the command:
# apk list
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/main: No such file or directory
WARNING: opening from cache https://dl-cdn.alpinelinux.org/alpine/v3.18/community: No such file or directory
alpine-baselayout-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-baselayout-data-3.4.3-r1 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.4-r1 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.14.0-r0 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
busybox-binsh-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20230506-r0 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
libc-utils-0.7.2-r5 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcrypto3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
libssl3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) [installed]
musl-1.2.4-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.4-r0 x86_64 {musl} (MIT AND BSD-2-Clause AND GPL-2.0-or-later) [installed]
scanelf-1.3.7-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
ssl_client-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) [installed]
zlib-1.2.13-r1 x86_64 {zlib} (Zlib) [installed]
/ #As per the output of this command, zlib-1.2.13-r1 x86_64 is being listed as a package present within registry container.
Now, we use Blackduck scanner to scan the container for vulnerabilities. This scanner has reported following vulnerabilities with their CVE numbers:
zlib-1.2.13-r1 x86_64 {zlib} (Zlib) -> CVSS score of 9.8; CVE-2023-45853 (https://nvd.nist.gov/vuln/detail/CVE-2023-45853)libssl3-3.1.0-r4 x86_64 {openssl} (Apache-2.0) -> CVSS score of 7.8; CVE-2023-4807 (https://nvd.nist.gov/vuln/detail/CVE-2023-4807)busybox-1.36.0-r9 x86_64 {busybox} (GPL-2.0-only) -> CVSS score of 6.7 as per Blackduck; CVE-2022-28391 (https://nvd.nist.gov/vuln/detail/CVE-2022-28391)As per the above comments, can team suggest if these packages are a part of container? And when would they be fixed/patched?
Note: These are reported by Blackduck scanner. I am not aware about the way which Docker Scout uses for scan. Blackduck scanner does a docker based scan on given docker image and reports the results.
milosgajdos
commented
7 months ago @anurag-deshpande we've just made a new release https://github.com/distribution/distribution/releases/tag/v3.0.0-alpha.1
Find the latest updated image in https://hub.docker.com/r/distribution/distribution/tags
In latest version of Registry, i.e. 2.8.3, I am observing there are 3 packages with security vulnerabilities. The details are listed below-
OpenSSL 3.1.0 and OpenSSL 3.1.1 packages have highest CVE score of 7.8.
Zlib 1.2.13 has a CVE score of 9.8 which is critical.
busybox 1.36.0 also has a CVE score of 7.8.
As all these scores are on the higher side, an update is required to patch them and prevent security risks.
Can the team provide a timeline when these packages will be updated?