nextflow-io / nf-amazon

Amazon Web Services plugin for Nextflow
Apache License 2.0
1 stars 2 forks source link

request: vulnearbility fix #1

Open mvforster opened 5 months ago

mvforster commented 5 months ago

Following the inclusion of your plugin within a NextFlow (24.04.2) container that I am building, a scan of the container detected an issue with the following packages:

The associated CVE for io.netty is outlined here has been reported to be patched in v4.1.100.Final.

And for ion-java the CVE is here, from the report the current patch may not apply to this vulnerability but it will be worth keeping an eye on/

The vulnerability was reported by Docker Scout v1.8.0.

Would it be possible to apply the relevant patch for this vulnerability in nf-amazon?

Many thanks for your assistance with this.

pditommaso commented 5 months ago

It should be possible to avoid it bumping in the config

plugins {
  id 'nf-amazon@2.6.0'
}
mvforster commented 5 months ago

Dear Paolo,

Many thanks for your suggestion and rapid response.

I have been able to rebuild the container with the version that you indicated and can confirm that the specific CVEs above have been cleared by this. However, the report indicates that the org.json/json 20230227 package is vulnerable as per: https://github.com/advisories/GHSA-4jq9-2xhw-jpx7 which has been fixed in https://github.com/stleary/JSON-java/pull/759

This is the same vulnerability that I have reported in nf-schema here

I belive that the same fix will apply to these and other NextFlow plugins that use the org.json/json 20230227 package.

I hope this information proves useful.

pditommaso commented 5 months ago

Tagging @arnaualcazar for visibility

mvforster commented 5 months ago

I am happy to share my dockerfile and/or scan report outputs if this will help

pditommaso commented 5 months ago

Sure, that's welcome

mvforster commented 5 months ago

no problem here is the Dockerfile:

FROM ubuntu:24.04

ARG NFSCHEMA_VERSION="@2.0.0"
ARG NFAMAZON_VERSION="@2.6.0"
ARG NFCODECOMMIT_VERSION="@0.1.5-patch1"
ARG NFTOWER_VERSION="@1.6.3-patch1"
ARG NFCONSOLE_VERSION="@1.1.3"
ARG CO2FOOTPRINT_VERSION="@1.0.0-beta"
# ARG NFCORE_VERSION="@2.14.1"
ARG JAVA_VERSION="21"

RUN apt update \
    && apt upgrade -y \
    && apt install -y --no-install-recommends \
        curl \
        tar \
        gzip \
        "openjdk-${JAVA_VERSION}-jdk" \
        procps \
    && rm -rf /var/cache/apt/archives /var/lib/apt/lists/* \
    && curl -s https://get.nextflow.io | bash \
    && chmod +x nextflow \
    && mv nextflow /usr/local/bin

RUN nextflow plugin install "nf-schema${NFSCHEMA_VERSION}"
RUN nextflow plugin install "nf-amazon${NFAMAZON_VERSION}"
RUN nextflow plugin install "nf-codecommit${NFCODECOMMIT_VERSION}"
RUN nextflow plugin install "nf-tower${NFTOWER_VERSION}"
RUN nextflow plugin install "nf-console${NFCONSOLE_VERSION}"
RUN nextflow plugin install "nf-co2footprint${CO2FOOTPRINT_VERSION}"

ENV NXF_OFFLINE='true'

and here are the docker scout reports:

docker scout cves local://nextflow:update
    i New version 1.9.3 available (installed version is 1.8.0) at https://github.com/docker/scout-cli
    ✓ SBOM of image already cached, 501 packages indexed
    ✗ Detected 17 vulnerable packages with a total of 23 vulnerabilities

## Overview

                    │       Analyzed Image         
────────────────────┼──────────────────────────────
  Target            │  local://nextflow:update     
    digest          │  f31a0bff97a4                
    platform        │ linux/amd64                  
    vulnerabilities │    0C     2H     5M    16L   
    size            │ 394 MB                       
    packages        │ 501                          

## Packages and Vulnerabilities

   0C     1H     0M     0L  software.amazon.ion/ion-java 1.0.2
pkg:maven/software.amazon.ion/ion-java@1.0.2

    ✗ HIGH CVE-2024-21634 [Allocation of Resources Without Limits or Throttling]
      https://scout.docker.com/v/CVE-2024-21634
      Affected range : <1.10.5                                       
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  

   0C     1H     0M     0L  org.json/json 20230227
pkg:maven/org.json/json@20230227

    ✗ HIGH CVE-2023-5072 [Improperly Implemented Security Check for Standard]
      https://scout.docker.com/v/CVE-2023-5072
      Affected range : <=20230618  
      Fixed version  : 20231013    

   0C     0H     1M     2L  krb5 1.20.1-6ubuntu2
pkg:deb/ubuntu/krb5@1.20.1-6ubuntu2?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ MEDIUM CVE-2024-26462
      https://scout.docker.com/v/CVE-2024-26462
      Affected range : >=0        
      Fixed version  : not fixed  

    ✗ LOW CVE-2024-26461
      https://scout.docker.com/v/CVE-2024-26461
      Affected range : >=0        
      Fixed version  : not fixed  

    ✗ LOW CVE-2024-26458
      https://scout.docker.com/v/CVE-2024-26458
      Affected range : >=0        
      Fixed version  : not fixed  

   0C     0H     1M     0L  xz-utils 5.6.1+really5.4.5-1
pkg:deb/ubuntu/xz-utils@5.6.1%2Breally5.4.5-1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ MEDIUM CVE-2020-22916
      https://scout.docker.com/v/CVE-2020-22916
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 5.5                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

   0C     0H     1M     0L  jline/jline 2.9
pkg:maven/jline/jline@2.9

    ✗ MEDIUM CVE-2013-2035 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
      https://scout.docker.com/v/CVE-2013-2035
      Affected range : <=2.10                      
      Fixed version  : 2.11                        
      CVSS Score     : 4.4                         
      CVSS Vector    : AV:L/AC:M/Au:N/C:P/I:P/A:P  

   0C     0H     1M     0L  libgcrypt20 1.10.3-2build1
pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ MEDIUM CVE-2024-2236
      https://scout.docker.com/v/CVE-2024-2236
      Affected range : >=0        
      Fixed version  : not fixed  

   0C     0H     1M     0L  pixman 0.42.2-1build1
pkg:deb/ubuntu/pixman@0.42.2-1build1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ MEDIUM CVE-2023-37769
      https://scout.docker.com/v/CVE-2023-37769
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

   0C     0H     0M     3L  cairo 1.18.0-3build1
pkg:deb/ubuntu/cairo@1.18.0-3build1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2019-6461
      https://scout.docker.com/v/CVE-2019-6461
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

    ✗ LOW CVE-2018-18064
      https://scout.docker.com/v/CVE-2018-18064
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

    ✗ LOW CVE-2017-7475
      https://scout.docker.com/v/CVE-2017-7475
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 5.5                                           
      CVSS Vector    : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

   0C     0H     0M     3L  openssl 3.0.13-0ubuntu3.1
pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3.1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2024-4741
      https://scout.docker.com/v/CVE-2024-4741
      Affected range : >=0        
      Fixed version  : not fixed  

    ✗ LOW CVE-2024-4603
      https://scout.docker.com/v/CVE-2024-4603
      Affected range : >=0        
      Fixed version  : not fixed  

    ✗ LOW CVE-2024-2511
      https://scout.docker.com/v/CVE-2024-2511
      Affected range : >=0        
      Fixed version  : not fixed  

   0C     0H     0M     1L  coreutils 9.4-3ubuntu6
pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2016-2781
      https://scout.docker.com/v/CVE-2016-2781
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N  

   0C     0H     0M     1L  gnupg2 2.4.4-2ubuntu17
pkg:deb/ubuntu/gnupg2@2.4.4-2ubuntu17?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2022-3219
      https://scout.docker.com/v/CVE-2022-3219
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 3.3                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L  

   0C     0H     0M     1L  dbus 1.14.10-4ubuntu4
pkg:deb/ubuntu/dbus@1.14.10-4ubuntu4?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2023-34969
      https://scout.docker.com/v/CVE-2023-34969
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H  

   0C     0H     0M     1L  harfbuzz 8.3.0-2build2
pkg:deb/ubuntu/harfbuzz@8.3.0-2build2?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2023-25193
      https://scout.docker.com/v/CVE-2023-25193
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  

   0C     0H     0M     1L  libpng1.6 1.6.43-5build1
pkg:deb/ubuntu/libpng1.6@1.6.43-5build1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2022-3857
      https://scout.docker.com/v/CVE-2022-3857
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 5.5                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

   0C     0H     0M     1L  giflib 5.2.2-1ubuntu1
pkg:deb/ubuntu/giflib@5.2.2-1ubuntu1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2023-48161
      https://scout.docker.com/v/CVE-2023-48161
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.1                                           
      CVSS Vector    : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H  

   0C     0H     0M     1L  glibc 2.39-0ubuntu8.2
pkg:deb/ubuntu/glibc@2.39-0ubuntu8.2?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2016-20013
      https://scout.docker.com/v/CVE-2016-20013
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 7.5                                           
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H  

   0C     0H     0M     1L  tiff 4.5.1+git230720-4ubuntu2.1
pkg:deb/ubuntu/tiff@4.5.1%2Bgit230720-4ubuntu2.1?os_distro=noble&os_name=ubuntu&os_version=24.04

    ✗ LOW CVE-2018-10126
      https://scout.docker.com/v/CVE-2018-10126
      Affected range : >=0                                           
      Fixed version  : not fixed                                     
      CVSS Score     : 6.5                                           
      CVSS Vector    : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H  

23 vulnerabilities found in 17 packages
  LOW       16  
  MEDIUM    5   
  HIGH      2   
  CRITICAL  0

I hope this information proves helpful