search

hawkeyesec / scanner-cli

A project security/vulnerability/risk scanning tool
Other
358 stars 89 forks source link

out of date python-safety package causes error in scanner-cli docker image #163

Closed derwent-m closed 3 years ago

derwent-m commented 4 years ago

Issue Template

Description

The :latest hawkeyesec/scanner-cli Docker image, is using an outdated version of the safety pypi package. The version specified in Dockerfile is 1.8.4, however version 1.9.0 contains a bug fix for this error.

Steps to Reproduce

git clone git@github.com:derwent-m/sample-flask-app.git
cd sample-flask-app
docker run --rm -v "$PWD/web:/target" hawkeyesec/scanner-cli:latest

Expected behavior: [What you expect to happen]

When I use my own patched docker image with the latest python-safety, python-safety runs successfully and contributes outputs in the summary table

docker run --rm -v "$PWD/web:/target" derwentx/scanner-cli:latest
python-safety  critical  flask 0.12                flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.  Versions <0.12.3 are vulnerable. Update to a non vulnerable version.      
python-safety  critical  flask 0.12                The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. See: CVE-2019-1010083. (NOTE: this may overlap CVE-2018-1000656.)                                                                                  Versions <1.0 are vulnerable. Update to a non vulnerable version.         
python-safety  critical  sqlalchemy 1.1.4          SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection via the order_by parameter. See: CVE-2019-7164.                                                                                                                                                                                                                     Versions <=1.2.17 are vulnerable. Update to a non vulnerable version.     
python-safety  critical  werkzeug 0.11.15          The defaults of ``generate_password_hash`` in werkzeug 0.12 have been changed to more secure ones, see pull request ``#753``.                                                                                                                                                                                                                Versions <0.12 are vulnerable. Update to a non vulnerable version.        
python-safety  critical  werkzeug 0.11.15          Werkzeug 0.15.0 refactors class:`~middleware.proxy_fix.ProxyFix` to support more headers, multiple values, and a more secure configuration.                                                                                                                                                                                                  Versions <0.15.0 are vulnerable. Update to a non vulnerable version.

Actual behavior: [What actually happens]

The python-safety module returns the following error:

docker run --rm -v "$PWD/web:/target" hawkeyesec/scanner-cli:latest
[error] python-safety returned an error! Unexpected end of JSON input

Version

The latest version of the docker container, hawkeyesec/scanner-cli@sha256:e43564c74a8d4caf3e8c780cf96206966e0b603d19ef64ef31f14e6b5fbdbf98 according to docker inspect --format='{{index .RepoDigests 0}}'

Feature Template

As a Python DevOps person I want to be notified of any python-safety issues in my pipeline So that I can triage those issues accordingly.

Acceptance Criteria

ricohomewood commented 3 years ago

@haohaolee is it possible to complete this PR Fix as we are also having this problem

haohaolee commented 3 years ago

@ricohomewood I am looking into this right now~

haohaolee commented 3 years ago

@ricohomewood Please take a look at the latest image in docker hub to see if it works for you now

ricohomewood commented 3 years ago

Thanks @haohaolee but the latest build is still showing pyton-safey as 1.8.4

image

derwent-m commented 3 years ago

Steps attempted to reproduce:

git clone https://github.com/ThoughtWorksInc/AS101-4-workshop.git
cd AS101-4-workshop
docker run --rm -v "$PWD/web:/target" hawkeyesec/scanner-cli:latest

Image downloaded:

Digest: sha256:6b3cfc584f1e34d065817ea2f8c5bf92b7247ce4e9d52912e60e41311d0b0ec9
Status: Downloaded newer image for hawkeyesec/scanner-cli:latest

Error still shows:

[error] python-safety returned an error! Unexpected end of JSON input

Try my fix! https://github.com/hawkeyesec/scanner-cli/pull/164

haohaolee commented 3 years ago

Hi @derwent-m @ricohomewood Please try again. I am not familiar with the image deployment process, just updated the version tag.

ricohomewood commented 3 years ago

Hi @haohaolee. Yep the lasted Docker image has the update version now and is working.

Digest: sha256:1d66a2e6952394b5b246106df006403fc41a39e5d90223c5bb9da07c465a8b17
Status: Downloaded newer image for hawkeyesec/scanner-cli:latest

And

[info] Running module python-safety

Thanks