search

docker / scan-cli-plugin

Docker Scan is a Command Line Interface to run vulnerability detection on your Dockerfiles and Docker images
Apache License 2.0
181 stars 44 forks source link

ERROR: self signed certificate in certificate chain #168

Open CloudSpark opened 3 years ago

CloudSpark commented 3 years ago

Description Our LARGE company uses self signed certificates in order to access a lot of external resources. There needs to be a way to bypass certificate checking or a better way of implementing their use.

Steps to reproduce the issue:

  1. NODE_TLS_REJECT_UNAUTHORIZED='0' docker scan (NOTE: run behind firewall requiring use of locally signed certs to get out.)

Describe the results you received: self signed certificate in certificate chain

Describe the results you expected: Actual scan results.

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

Client: Docker Engine - Community
 Version:           20.10.7
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        f0df350
 Built:             Wed Jun  2 11:56:40 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.7
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       b0f5bc3
  Built:            Wed Jun  2 11:54:48 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.8
  GitCommit:        7eba5930496d9bbe375fdf71603e610ad737d2b2
 runc:
  Version:          1.0.0
  GitCommit:        v1.0.0-0-g84113ee
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Output of docker scan --version:

Version:    v0.8.0
Git commit: 35651ca
Provider:   Snyk (1.563.0 (standalone))

Output of docker info:

Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 11
  Running: 4
  Paused: 0
  Stopped: 7
 Images: 80
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runtime.v1.linux runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7eba5930496d9bbe375fdf71603e610ad737d2b2
 runc version: v1.0.0-0-g84113ee
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: default
 Kernel Version: 4.15.0-154-generic
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 31.39GiB
 Name: mdias-dev15
 ID: B6TX:ACF7:4TZ3:SJZB:5SWY:A4HX:VKZU:IIUC:R2KP:SZL5:X3ZV:XEXG
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: sparker0
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No swap limit support

Additional environment details (AWS, VirtualBox, physical, etc.): Running on VMWare virtual machines, Ubuntu 20

mcascone commented 2 years ago

I believe we're seeing something similar. I am running this on my Windows 10 laptop, connected to my corporate VPN using Zscaler. The ZScaler replaces/does something with the CA certs which frequently causes issues accessing external resources, especially on Linux and Docker. I get the same result when off the VPN as well.

~> docker scan 9339a7d50702
unable to get local issuer certificate

debug info:

~>  docker scan --version
Version:    v0.11.0
Git commit: c8da19f
Provider:   Snyk (1.563.0 (standalone))
~> docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc., v0.7.1)
  compose: Docker Compose (Docker Inc., v2.2.1)
  scan: Docker Scan (Docker Inc., v0.11.0)

Server:
 Containers: 37
  Running: 32
  Paused: 0
  Stopped: 5
 Images: 13
 Server Version: 20.10.11
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc version: v1.0.2-0-g52b36a2
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.60.1-microsoft-standard-WSL2
 Operating System: Docker Desktop
 OSType: linux
 Architecture: x86_64
 CPUs: 8
 Total Memory: 12.31GiB
 Name: docker-desktop
 ID: PVZM:2BMX:Z6RR:YO4R:USQ5:D6VO:62JZ:2O6C:IOT6:54LG:WPBV:DCMW
 Docker Root Dir: /var/lib/docker
 Debug Mode: true
  File Descriptors: 154
  Goroutines: 133
  System Time: 2021-12-16T19:01:53.0912448Z
  EventsListeners: 3
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No blkio throttle.read_bps_device support
WARNING: No blkio throttle.write_bps_device support
WARNING: No blkio throttle.read_iops_device support
WARNING: No blkio throttle.write_iops_device support
jajansen commented 2 years ago

Same problem. Also behind ZScaler that replaces the root-cert with a custom company cert

cawoodm commented 2 years ago

It seems docker scan does not respect the system CA Certificates.

curl https://docs.docker.com/ -I
# No Problem

docker scan myimage
# Boom!
unable to verify the first certificate
turbolocust commented 2 years ago

Same problem. Also behind ZScaler that replaces the root-cert with a custom company cert

I can confirm this. The necessary custom certificates are imported. Other applications do not have this issue.

jeeftor commented 2 years ago

I have the exact same issues with zscalar

koenderoo commented 2 years ago

Any workaround available yet?

machetto commented 2 years ago

Same problem. Our images have our corporate CA Root certs inserted to their CA Trust Stores (for RHEL it is copy the certs to /etc/pki/ca-trust/source/anchors/ and run update-ca-trust). Not sure why the error says the certs are self-signed. Is there a workaround or a fix for it?

samratbasrajci commented 2 years ago

I have same issue.. after Disabling all the vpn, works for me.

josh-keller commented 2 years ago

I have the same issue. Disabling VPN does not help because traffic still goes through corporate proxy.

jeeftor commented 1 year ago

This is a pretty basic thing... how come its not fixed?

RayceRossum commented 1 year ago

Still facing this issue with zscaler