Open rawrmonster17 opened 2 months ago
@rawrmonster17 thanks for raising this. Would be possible for you push a public image to a container registry that demonstrates this issue? I’m happy to look into it.
This is not only for docker-scout, I believe it's because you create virtual environment by using
python -m venv venv
This should have pip inside this venv folder.
Is there a public image somewhere that would let me reproduce this?
Here is my setup. base.Dockerfile
# Source: https://raw.githubusercontent.com/docker-library/python/9ff8b15bc523ab47020d9fb4a2449d5a82ff9750/3.9/bullseye/slim/Dockerfile
#
# NOTE: THIS DOCKERFILE IS GENERATED VIA "update.sh"
#
# PLEASE DO NOT EDIT IT DIRECTLY.
#
FROM python:3.9.18-slim-bookworm as base
# ensure local python is preferred over distribution python
ENV PATH /usr/local/bin:$PATH
# runtime dependencies
RUN set -eux; \
apt-get update; \
apt-get upgrade -y; \
apt-get install -y --no-install-recommends \
ca-certificates \
netbase \
tzdata \
; \
rm -rf /var/lib/apt/lists/*
RUN pip uninstall pip -y # we don't need pip, we use poetry
CMD ["python3"]
server.Dockerfile
FROM local/python:3.9.18-bookworm AS base
FROM base AS compile-image
## virtualenv
ENV VIRTUAL_ENV=/opt/venv
RUN python3 -m venv $VIRTUAL_ENV && . $VIRTUAL_ENV/bin/activate && pip uninstall pip -y && deactivate
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
# Install psycopg2 build dependencies & wget+unzip for Oracle InstantClient & all DBs pip dependencies
RUN apt-get update && \
apt-get install -y gcc libpq-dev python3-dev build-essential libssl-dev libffi-dev libcurl4-openssl-dev wget unzip curl && \
curl -sSL https://install.python-poetry.org | python3 -
# specify path to poetry binary
ENV PATH="/root/.local/bin:$PATH"
ENV POETRY_NO_INTERACTION=1 \
POETRY_VIRTUALENVS_CREATE=false
# Ideally, we should declare PIP_REQUIREMENTS at the first line (as we use it in both build and runtime stages).
# However, RUN commands run when an arg is changed, even if they don't use it: https://stackoverflow.com/a/57017745/13340988
# There is no problem we re-declare an arg, so we declare it as late as we can.
ARG PIP_REQUIREMENTS=common,task_initiator
COPY poetry.lock pyproject.toml ./
RUN poetry install --with $PIP_REQUIREMENTS
FROM base AS runtime-image
ARG PIP_REQUIREMENTS=common,task_initiator
RUN useradd --create-home example
USER example
COPY --from=compile-image --chown=example /opt/venv /opt/venv
ENV PATH=/opt/venv/bin:$PATH \
PYTHONDONTWRITEBYTECODE=1 \
PYTHONUNBUFFERED=1 \
DJANGO_ENV=production \
DOCKER=1
# Copy source code
WORKDIR /home/example/
COPY . .
CMD ["gunicorn", "-b", "0.0.0.0:8000", "--worker-tmp-dir", "/dev/shm", "-c", "./gunicorn.conf.py", "-w", "4", "--timeout", "90", "server.wsgi"]
ENTRYPOINT ["/home/example/entrypoint.sh"]
build.sh
set -e
image_tag_prefix=$1
dockerfiles_location=$(dirname "$0")
BASE_IMAGE_NAME='local/python:3.9.18-bookworm'
if [[ "$(docker images -q $BASE_IMAGE_NAME 2> /dev/null)" == "" ]]; then
echo "✨ Building base image $BASE_IMAGE_NAME:"
DOCKER_SCAN_SUGGEST=false docker build \
-t $BASE_IMAGE_NAME \
-f "$dockerfiles_location/base.Dockerfile" \
$dockerfiles_location
else
echo "✨ Skip building base image $BASE_IMAGE_NAME"
fi
echo ""
server_image_tag="${image_tag_prefix}server"
echo "✨ Building server image (tag: $server_image_tag):"
DOCKER_SCAN_SUGGEST=false docker build \
-t $server_image_tag \
-f "$dockerfiles_location/server.Dockerfile" \
"${@:2}" \
$dockerfiles_location
poetry.zip also attaching poetry dependency files as they needed to install python deps into docker image
put everything in a single directory and run build.sh like following
./build.sh tt --build-arg PIP_REQUIREMENTS=common,task_initiator
What I managed to understand is that
COPY . .
is the root cause, you can remove it from the docker image and just copy single file or folder and the issue is gone.
Is there a public image somewhere that would let me reproduce this?
i'm also facing the same issue, you can find my image here https://hub.docker.com/layers/vijayjangir/pre-commit/latest-java21/images/sha256-7ebea1ede28c3b67ab7c99e2b7b30666563243830fe40c7a5bb5e38e95603320?context=repo&tab=vulnerabilities
It looks like I have the same issue. Attached is a screenshot from Docker Dekstop.
To dig into where this package and thus the CVE is being detected from, it usually easiest to use the --locations
flag with the docker scout cves
command. See the following example:
❯ docker scout cves vijayjangir/pre-commit:latest-java21 --locations --only-cve-id CVE-2018-20225
✓ SBOM of image already cached, 106 packages indexed
✗ Detected 1 vulnerable package with 1 vulnerability
## Overview
│ Analyzed Image
────────────────────┼────────────────────────────────────────────────────
Target │ vijayjangir/pre-commit:latest-java21
digest │ 67ff15b5e7d8
platform │ linux/amd64
provenance │ https://github.com/vijay-jangir/pre-commit-docker
│ 1b23f4824f341aa6a94faf135baa9b4ee7d3ed61
vulnerabilities │ 0C 1H 0M 0L
size │ 107 MB
packages │ 106
## Packages and Vulnerabilities
0C 1H 0M 0L pip 24.0
pkg:pypi/pip@24.0
13: sha256:205151bc9d4c648bc742ff1abf3fefac6a10e27841540dab246d32c9874ff552
/usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/METADATA (evident by)
/usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/RECORD (evident by)
/usr/local/lib/python3.11/site-packages/pip-24.0.dist-info/top_level.txt (evident by)
✗ HIGH CVE-2018-20225 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2018-20225
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.8
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score : 0.11%
EPSS Percentile : 45th percentile
1 vulnerability found in 1 package
LOW 0
MEDIUM 0
HIGH 1
CRITICAL 0
So, even though there is no debian or similar pip package installed in this image, there are still traces of the installation on the filesystem of the container that trigger this CVE. In this example it is add the path /usr/local/lib/python3.11/site-packages/pip-24.0.dist-info
.
I fully understand that pip has a weird vulnerability cve-2018-20225 but even if you uninstall pip and pip3 docker scout is still showing this vulnerability. My question is does any package installed by pip still cause this cve? I thought it was only the pip package its self due to the way it could install packages incorrectly using the --extra-index-url flag.