Closed dR3b closed 2 years ago
no it's not dead. Though, I haven't make any change in a while ... PRs are most welcome :)
Cool!
But the Docker image is 9 months old and contains many open CVEs:
~ » trivy -q image --severity CRITICAL,HIGH mkaczanowski/pastebin | grep -E "CVE"
| e2fsprogs | CVE-2022-1304 | HIGH | 1.44.5-1+deb10u3 | | e2fsprogs: out-of-bounds |
| gcc-8-base | CVE-2018-12886 | | 8.3.0-6 | | gcc: spilling of stack |
| | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic |
| gzip | CVE-2022-1271 | | 1.9-3 | 1.9-3+deb10u1 | gzip: arbitrary-file-write |
| libc-bin | CVE-2021-33574 | CRITICAL | 2.28-10 | | glibc: mq_notify does |
| | CVE-2021-35942 | | | | glibc: Arbitrary read in wordexp() |
| | CVE-2022-23218 | | | | glibc: Stack-based buffer overflow |
| | CVE-2022-23219 | | | | glibc: Stack-based buffer |
| | CVE-2020-1751 | HIGH | | | glibc: array overflow in |
| | CVE-2020-1752 | | | | glibc: use-after-free in glob() |
| | CVE-2021-3326 | | | | glibc: Assertion failure in |
| | CVE-2021-3999 | | | | glibc: Off-by-one buffer |
| libc6 | CVE-2021-33574 | CRITICAL | | | glibc: mq_notify does |
| | CVE-2021-35942 | | | | glibc: Arbitrary read in wordexp() |
| | CVE-2022-23218 | | | | glibc: Stack-based buffer overflow |
| | CVE-2022-23219 | | | | glibc: Stack-based buffer |
| | CVE-2020-1751 | HIGH | | | glibc: array overflow in |
| | CVE-2020-1752 | | | | glibc: use-after-free in glob() |
| | CVE-2021-3326 | | | | glibc: Assertion failure in |
| | CVE-2021-3999 | | | | glibc: Off-by-one buffer |
| libcom-err2 | CVE-2022-1304 | | 1.44.5-1+deb10u3 | | e2fsprogs: out-of-bounds |
| libdb5.3 | CVE-2019-8457 | CRITICAL | 5.3.28+dfsg1-0.5 | | sqlite: heap out-of-bound |
| libext2fs2 | CVE-2022-1304 | HIGH | 1.44.5-1+deb10u3 | | e2fsprogs: out-of-bounds |
| libgcc1 | CVE-2018-12886 | | 8.3.0-6 | | gcc: spilling of stack |
| | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic |
| libgcrypt20 | CVE-2021-33560 | | 1.8.4-5 | | libgcrypt: mishandles ElGamal |
| libgmp10 | CVE-2021-43618 | | 2:6.1.2+dfsg-4 | 2:6.1.2+dfsg-4+deb10u1 | gmp: Integer overflow and resultant |
| libgnutls30 | CVE-2021-20231 | CRITICAL | 3.6.7-4+deb10u6 | 3.6.7-4+deb10u7 | gnutls: Use after free in |
| | CVE-2021-20232 | | | | gnutls: Use after free |
| | CVE-2020-24659 | HIGH | | | gnutls: Heap buffer |
| libhogweed4 | CVE-2021-20305 | | 3.4.1-1 | 3.4.1-1+deb10u1 | nettle: Out of bounds memory |
| | CVE-2021-3580 | | | | nettle: Remote crash |
| libidn2-0 | CVE-2019-12290 | | 2.0.5-1+deb10u1 | | GNU libidn2 before 2.2.0 |
| liblz4-1 | CVE-2021-3520 | CRITICAL | 1.8.3-1 | 1.8.3-1+deb10u1 | lz4: memory corruption |
| liblzma5 | CVE-2022-1271 | HIGH | 5.2.4-1 | 5.2.4-1+deb10u1 | gzip: arbitrary-file-write |
| libncursesw6 | CVE-2022-29458 | | 6.1+20181013-2+deb10u2 | | ncurses: segfaulting OOB read |
| libnettle6 | CVE-2021-20305 | | 3.4.1-1 | 3.4.1-1+deb10u1 | nettle: Out of bounds memory |
| | CVE-2021-3580 | | | | nettle: Remote crash |
| libss2 | CVE-2022-1304 | | 1.44.5-1+deb10u3 | | e2fsprogs: out-of-bounds |
| libstdc++6 | CVE-2018-12886 | | 8.3.0-6 | | gcc: spilling of stack |
| | CVE-2019-15847 | | | | gcc: POWER9 "DARN" RNG intrinsic |
| libsystemd0 | CVE-2019-3843 | | 241-7~deb10u7 | | systemd: services with DynamicUser |
| | CVE-2019-3844 | | | | systemd: services with DynamicUser |
| libtinfo6 | CVE-2022-29458 | | 6.1+20181013-2+deb10u2 | | ncurses: segfaulting OOB read |
| libudev1 | CVE-2019-3843 | | 241-7~deb10u7 | | systemd: services with DynamicUser |
| | CVE-2019-3844 | | | | systemd: services with DynamicUser |
| ncurses-base | CVE-2022-29458 | | 6.1+20181013-2+deb10u2 | | ncurses: segfaulting OOB read |
| perl-base | CVE-2020-16156 | | 5.28.1-6+deb10u1 | | perl-CPAN: Bypass of verification |
| zlib1g | CVE-2018-25032 | | 1:1.2.11.dfsg-1 | 1:1.2.11.dfsg-1+deb10u1 | zlib: A flaw found in |
Even Base image was updated 3 days ago, it is still full of issues.
I do check and we can move from debian:buster-slim
to the ubuntu:22.04
, works perfectly, but image a bit bigger, as pros 0 Critical and High issues:
Why not using Alpine?
I try it with alpine 3.15, but somehow was not able to run binary file from it and did not troubleshoot this issue afterwards.
FROM rustlang/rust:nightly as builder
RUN apt-get update && apt-get install -y apt-utils software-properties-common lsb-release
RUN bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"
WORKDIR /usr/src/pastebin
COPY . .
RUN cargo install --path .
FROM alpine:3.15
COPY --from=builder /usr/local/cargo/bin/pastebin /usr/local/bin/pastebin
ENTRYPOINT ["pastebin"]
CMD ["--help"]
I think its because Alpine Linux uses "musl" instead of Glibc.
I would recommend using "gcr.io/distroless" images:
FROM rustlang/rust:nightly as builder
RUN apt-get update && apt-get install -y apt-utils software-properties-common lsb-release
RUN bash -c "$(wget -O - https://apt.llvm.org/llvm.sh)"
WORKDIR /app
COPY . /app
RUN cargo build --release
FROM gcr.io/distroless/cc-debian11
COPY --from=builder /app/target/release/pastebin /
ENTRYPOINT ["./pastebin"]
CMD ["--help"]
This image contains a minimal Linux, glibc runtime for "mostly-statically compiled" languages like Rust.
Is this project dead?