search

eclipse-che / che

Kubernetes based Cloud Development Environments for Enterprise Teams
http://eclipse.org/che
Eclipse Public License 2.0
6.94k stars 1.18k forks source link

CVEs present in Universal Developer Image #22704

Open debkantap opened 7 months ago

debkantap commented 7 months ago

Summary

Can we use Universal Developer Image as the base image for devfile in our custom devfile, as we see lots of vulnerability in the recent images from the quay site: https://quay.io/repository/devfile/universal-developer-image?tab=tags

Relevant information

No response

AObuchow commented 7 months ago

I can't comment on whether the security vulnerabilities currently present in the UDI are acceptable for your use case.

However, I see that at least 5 high severity vulnerabilities are coming from sdkman from the usage of JBang. I already fixed one vulnerability in the past, and the fix to upgrade JBang's dependencies should be simple enough.

There is a high severity vulnerability coming from JGit 5.7.0.202003110725-r though I'm not sure yet if this is coming from JBang or somewhere else.

However, from my understanding, if you are a Red Hat customer you should be using the downstream UDI image (which is free from any security vulnerabilities) instead of the community/upstream universal developer image.

debkantap commented 7 months ago

Thanks for your reply.. I did check the redhat UDI image ..it is also have the vulnerabilities.

che-bot commented 1 month ago

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

AObuchow commented 1 month ago

/remove-lifecycle stale

AObuchow commented 1 month ago

Thanks for your reply.. I did check the redhat UDI image ..it is also have the vulnerabilities.

Sorry for the very slow reply.

There are 0 critical vulnerabilities in the RedHat UDI image, however there are other non-critical vulnerabilities. I believe the current consensus for this image is that the image cannot be shipped with any critical vulnerabilities.

I assume the non-critical vulnerabilities are still blockers for your usage?

AObuchow commented 1 month ago

Copying some information from a downstream UDI issue that was actually detailing a CVE present in the upstream UDI:

The upstream UDI image quay.io/devfile/universal-developer-image:ubi8-latest currently has the critical security vulnerability [CVE-2022-42889(https://nvd.nist.gov/vuln/detail/CVE-2022-42889).

This vulnerability comes from Apache Commons Text, though I am not sure where this library is being used as a dependency yet (maybe something being downloaded by sdkman?). The security scan from quay shows that the issue arises in the following layer:

RUN /bin/sh -c mkdir -p /home/user && chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # buildkit

debkantap commented 1 month ago

hey @AObuchow thanks for the reply. may be it is because of chmod for passwd file.

TR Deb

AObuchow commented 1 month ago

hey @AObuchow thanks for the reply. may be it is because of chmod for passwd file.

TR Deb

Yes, this is something we are currently looking into. Thank you for the suggestion & follow-up @debkantap :)