search

jfrog / jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI
Apache License 2.0
518 stars 223 forks source link

Xray blocking release jfrog client #589

Closed gfvirga closed 4 years ago

gfvirga commented 4 years ago

Hello,

I have build an internal jfrogcli running on rhel7 and xray is blocking jfrog cli because it was built in a old version of GO.

Dockerfile used

FROM bar.jfrog.company.com/ubi7:89a082b4 ENV VERSION=1.33.2 USER root RUN curl -o /usr/local/bin/jfrog "https://bar.jfrog.company.com/artifactory/generic-jfrogbintraycomjfrogcligo-remote/${VERSION}/jfrog-cli-linux-amd64/jfrog" RUN chmod +x /usr/local/bin/jfrog USER 1001

Xray errors

Summary Severity Type Watch-Name Violated Resources Component Created policy    
net/url in Go before 1.11.13 and 1.12.x before 1.12.8 mishandles malformed hosts in URLs, leading to an authorization bypass in some applications. This is related to a Host field with a suffix appearing in neither Hostname() nor Port(), and is related to a non-numeric port number. For example, an attacker can compose a crafted javascript:// URL that results in a hostname of google.com. High security HIGH-WATCH-LOCAL repository:company-docker-temp:company-PCL-ARTIFACTORY github.com/golang/go 2020-01-30T10:38:38-05:00 1 | HIGH-SECURITY-POLICY
Go through 1.12.5 on Windows mishandles process creation with a nil environment in conjunction with a non-nil token, which allows attackers to obtain sensitive information or gain privileges. High security HIGH-WATCH-LOCAL repository:company-docker-temp:company-PCL-ARTIFACTORY github.com/golang/go 2020-01-30T10:38:38-05:00 1 | HIGH-SECURITY-POLICY
gfvirga commented 4 years ago

The release official docker image that uses alpine is building with the latest version of Go.

Xray doesn't find any problems:

FROM docker.bintray.io/jfrog/jfrog-cli-go:latest AS build WORKDIR /usr/local/bin/

FROM bar.prod.company.com/company-docker-temp/ubi7 LABEL maintainer="UBI commitee" \ name="ubi7-jfrogcli" \ url="https://gitlab.company.com/machine-shop/catalog/" ENV VERSION=1.33.2

USER root COPY --from=build /usr/local/bin/jfrog /usr/local/bin/jfrog RUN chmod +x /usr/local/bin/jfrog USER 1001

eyalbe4 commented 4 years ago

@gfvirga, Does this issue need to be closed? If not, please share with us the issue you see. Thanks

gfvirga commented 4 years ago

@eyalbe4, no, the future release need to be compiled with a non vulnerable version of Go...

eyalbe4 commented 4 years ago

@gfvirga, The Dockerfile has been updated to use go 1.14. The latest release of the docker image used this Dockerfile. Please let us know if the issue is resolved for you.

gfvirga commented 4 years ago

This is great. I am able to pull it from jfrog artifactory scanned by xray.