search

lib / pq

Pure Go Postgres driver for database/sql
https://pkg.go.dev/github.com/lib/pq
MIT License
9.04k stars 909 forks source link

Private keys cause Trivy HIGH vulnerability alerts #1158

Open gmlewis opened 5 months ago

gmlewis commented 5 months ago

When building a Docker image using this package, and then performing a Trivy scan on it, it reports HIGH vulnerability errors due to the private keys in the certs dir that are used for testing purposes on Travis:

/go/pkg/mod/github.com/lib/pq@v1.10.9/certs/postgresql.key (secrets)
====================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /go/pkg/mod/github.com/lib/pq@v1.10.9/certs/postgresql.key:1 (added by '[stage-1 3/5] COPY --chown=1001:1001 --f')
────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----*************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2   
────────────────────────────────────────

/go/pkg/mod/github.com/lib/pq@v1.10.9/certs/server.key (secrets)
================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

HIGH: AsymmetricPrivateKey (private-key)
════════════════════════════════════════
Asymmetric Private Key
────────────────────────────────────────
 /go/pkg/mod/github.com/lib/pq@v1.10.9/certs/server.key:1 (added by '[stage-1 3/5] COPY --chown=1001:1001 --f')
────────────────────────────────────────
   1 [ -----BEGIN PRIVATE KEY-----***********************************************************************************************************************************************************************************************************************************************************************************************************************************-----END PRIVATE KEY-----
   2   
────────────────────────────────────────

One solution could be to delete the certs directory during the Docker image build, but I thought I should report this in case others run into the issue.

zyv4yk commented 5 months ago

+1 we have the same issue

as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets

gmlewis commented 5 months ago

@zyv4yk - I was curious how any of this code was getting into our Dockerfile in the first place, and it turns out that one of our developers did this in our Dockerfile:

# Make sure the dependencies persist
COPY --chown=1001:1001 --from=build-stage /go/pkg/mod /go/pkg/mod

Once we removed that, the Trivy vulnerability went away, so I recommend you take a look at how this code is actually getting into your container in the first place.

johto commented 5 months ago

as I see these files are needed for testing purposes so you can provide this in Travis settings or through repository secrets

What about people who clone the repo and want to run the tests?

zyv4yk commented 5 months ago

@gmlewis Thanks, will analyze my Dockerfile to find out how this is getting into container.