search

higlass / higlass-docker

Builds a docker container wrapping higlass-server and higlass-client in nginx
MIT License
32 stars 14 forks source link

Security vulnerabilities with latest (0.9.0) image #178

Closed brianrepko closed 2 years ago

brianrepko commented 2 years ago

My company has a vulnerability (CVE) scanner for docker images. We've run higlass/higlass-docker:latest through a scan on Dec 14, 2021 and it didn't pass. I can probably attach the log here - through the configuration for ultimate pass / fail is ours - it does have the full list of vulnerabilities - or I can email it to one of the project developers.

In general, many of the components have critical or high CVEs assigned to them - or high scores - but can be fixed with updating versions. These include django, Pillow, dask, pandas, and urllib3. Also node.js on ubuntu 18.04 has an issue - and many other components are based on wanting to push up to ubuntu 20.04 (as an LTS release).

I can see various other issues / PRs from dependabot - particularly for Pillow (the worst offender) but these PRs are 3 months old.

The other 2 issues are

Happy to work with the team on this but not sure how to proceed - thoughts?

pkerpedjiev commented 2 years ago

Thanks for pointing this out. How urgent is this for you? I can try to get a few of these merged over the weekend.

For the other 2 issues:

there is a private key file buried in the tornado package that needs removing (called test.key)

Does this just require a version bump of the tornado package?

the container runs as root

Could you elaborate on this? Do you mean that the programs inside the container run as root?

brianrepko commented 2 years ago

Hi Peter - I can send you the scan process html output file via email if you want. I'm at brian.repko@novartis.com. I can look into the tornado package - it might be fixed with a version bump but I don't know.

In terms of running at root, I'd have to ask for more details but I believe so. I've only run the scan and not actually run the container so it is difficult for me to tell but other users mentioned the same thing. For example, nginx might run as root for access to port 80?

brianrepko commented 2 years ago

In terms of urgency, our goal is to stand this up by end of January so a secure container by mid-January should work. Otherwise I might have to learn how to develop on this code and try the updates myself.

brianrepko commented 2 years ago

Closing this ticket as the HiGlass team has patched most of the issues and we will create our own docker-compose setup.