Open mvforster opened 5 months ago
It should be possible to avoid it bumping in the config
plugins {
id 'nf-amazon@2.6.0'
}
Dear Paolo,
Many thanks for your suggestion and rapid response.
I have been able to rebuild the container with the version that you indicated and can confirm that the specific CVEs above have been cleared by this. However, the report indicates that the org.json/json 20230227 package is vulnerable as per: https://github.com/advisories/GHSA-4jq9-2xhw-jpx7 which has been fixed in https://github.com/stleary/JSON-java/pull/759
This is the same vulnerability that I have reported in nf-schema here
I belive that the same fix will apply to these and other NextFlow plugins that use the org.json/json 20230227 package.
I hope this information proves useful.
Tagging @arnaualcazar for visibility
I am happy to share my dockerfile and/or scan report outputs if this will help
Sure, that's welcome
no problem here is the Dockerfile:
FROM ubuntu:24.04
ARG NFSCHEMA_VERSION="@2.0.0"
ARG NFAMAZON_VERSION="@2.6.0"
ARG NFCODECOMMIT_VERSION="@0.1.5-patch1"
ARG NFTOWER_VERSION="@1.6.3-patch1"
ARG NFCONSOLE_VERSION="@1.1.3"
ARG CO2FOOTPRINT_VERSION="@1.0.0-beta"
# ARG NFCORE_VERSION="@2.14.1"
ARG JAVA_VERSION="21"
RUN apt update \
&& apt upgrade -y \
&& apt install -y --no-install-recommends \
curl \
tar \
gzip \
"openjdk-${JAVA_VERSION}-jdk" \
procps \
&& rm -rf /var/cache/apt/archives /var/lib/apt/lists/* \
&& curl -s https://get.nextflow.io | bash \
&& chmod +x nextflow \
&& mv nextflow /usr/local/bin
RUN nextflow plugin install "nf-schema${NFSCHEMA_VERSION}"
RUN nextflow plugin install "nf-amazon${NFAMAZON_VERSION}"
RUN nextflow plugin install "nf-codecommit${NFCODECOMMIT_VERSION}"
RUN nextflow plugin install "nf-tower${NFTOWER_VERSION}"
RUN nextflow plugin install "nf-console${NFCONSOLE_VERSION}"
RUN nextflow plugin install "nf-co2footprint${CO2FOOTPRINT_VERSION}"
ENV NXF_OFFLINE='true'
and here are the docker scout reports:
docker scout cves local://nextflow:update
i New version 1.9.3 available (installed version is 1.8.0) at https://github.com/docker/scout-cli
✓ SBOM of image already cached, 501 packages indexed
✗ Detected 17 vulnerable packages with a total of 23 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼──────────────────────────────
Target │ local://nextflow:update
digest │ f31a0bff97a4
platform │ linux/amd64
vulnerabilities │ 0C 2H 5M 16L
size │ 394 MB
packages │ 501
## Packages and Vulnerabilities
0C 1H 0M 0L software.amazon.ion/ion-java 1.0.2
pkg:maven/software.amazon.ion/ion-java@1.0.2
✗ HIGH CVE-2024-21634 [Allocation of Resources Without Limits or Throttling]
https://scout.docker.com/v/CVE-2024-21634
Affected range : <1.10.5
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 1H 0M 0L org.json/json 20230227
pkg:maven/org.json/json@20230227
✗ HIGH CVE-2023-5072 [Improperly Implemented Security Check for Standard]
https://scout.docker.com/v/CVE-2023-5072
Affected range : <=20230618
Fixed version : 20231013
0C 0H 1M 2L krb5 1.20.1-6ubuntu2
pkg:deb/ubuntu/krb5@1.20.1-6ubuntu2?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2024-26462
https://scout.docker.com/v/CVE-2024-26462
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-26461
https://scout.docker.com/v/CVE-2024-26461
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-26458
https://scout.docker.com/v/CVE-2024-26458
Affected range : >=0
Fixed version : not fixed
0C 0H 1M 0L xz-utils 5.6.1+really5.4.5-1
pkg:deb/ubuntu/xz-utils@5.6.1%2Breally5.4.5-1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2020-22916
https://scout.docker.com/v/CVE-2020-22916
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.5
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 1M 0L jline/jline 2.9
pkg:maven/jline/jline@2.9
✗ MEDIUM CVE-2013-2035 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities]
https://scout.docker.com/v/CVE-2013-2035
Affected range : <=2.10
Fixed version : 2.11
CVSS Score : 4.4
CVSS Vector : AV:L/AC:M/Au:N/C:P/I:P/A:P
0C 0H 1M 0L libgcrypt20 1.10.3-2build1
pkg:deb/ubuntu/libgcrypt20@1.10.3-2build1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2024-2236
https://scout.docker.com/v/CVE-2024-2236
Affected range : >=0
Fixed version : not fixed
0C 0H 1M 0L pixman 0.42.2-1build1
pkg:deb/ubuntu/pixman@0.42.2-1build1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ MEDIUM CVE-2023-37769
https://scout.docker.com/v/CVE-2023-37769
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 0M 3L cairo 1.18.0-3build1
pkg:deb/ubuntu/cairo@1.18.0-3build1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2019-6461
https://scout.docker.com/v/CVE-2019-6461
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
✗ LOW CVE-2018-18064
https://scout.docker.com/v/CVE-2018-18064
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
✗ LOW CVE-2017-7475
https://scout.docker.com/v/CVE-2017-7475
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.5
CVSS Vector : CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 0M 3L openssl 3.0.13-0ubuntu3.1
pkg:deb/ubuntu/openssl@3.0.13-0ubuntu3.1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2024-4741
https://scout.docker.com/v/CVE-2024-4741
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-4603
https://scout.docker.com/v/CVE-2024-4603
Affected range : >=0
Fixed version : not fixed
✗ LOW CVE-2024-2511
https://scout.docker.com/v/CVE-2024-2511
Affected range : >=0
Fixed version : not fixed
0C 0H 0M 1L coreutils 9.4-3ubuntu6
pkg:deb/ubuntu/coreutils@9.4-3ubuntu6?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2016-2781
https://scout.docker.com/v/CVE-2016-2781
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
0C 0H 0M 1L gnupg2 2.4.4-2ubuntu17
pkg:deb/ubuntu/gnupg2@2.4.4-2ubuntu17?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2022-3219
https://scout.docker.com/v/CVE-2022-3219
Affected range : >=0
Fixed version : not fixed
CVSS Score : 3.3
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
0C 0H 0M 1L dbus 1.14.10-4ubuntu4
pkg:deb/ubuntu/dbus@1.14.10-4ubuntu4?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2023-34969
https://scout.docker.com/v/CVE-2023-34969
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L harfbuzz 8.3.0-2build2
pkg:deb/ubuntu/harfbuzz@8.3.0-2build2?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2023-25193
https://scout.docker.com/v/CVE-2023-25193
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L libpng1.6 1.6.43-5build1
pkg:deb/ubuntu/libpng1.6@1.6.43-5build1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2022-3857
https://scout.docker.com/v/CVE-2022-3857
Affected range : >=0
Fixed version : not fixed
CVSS Score : 5.5
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
0C 0H 0M 1L giflib 5.2.2-1ubuntu1
pkg:deb/ubuntu/giflib@5.2.2-1ubuntu1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2023-48161
https://scout.docker.com/v/CVE-2023-48161
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.1
CVSS Vector : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
0C 0H 0M 1L glibc 2.39-0ubuntu8.2
pkg:deb/ubuntu/glibc@2.39-0ubuntu8.2?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2016-20013
https://scout.docker.com/v/CVE-2016-20013
Affected range : >=0
Fixed version : not fixed
CVSS Score : 7.5
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0C 0H 0M 1L tiff 4.5.1+git230720-4ubuntu2.1
pkg:deb/ubuntu/tiff@4.5.1%2Bgit230720-4ubuntu2.1?os_distro=noble&os_name=ubuntu&os_version=24.04
✗ LOW CVE-2018-10126
https://scout.docker.com/v/CVE-2018-10126
Affected range : >=0
Fixed version : not fixed
CVSS Score : 6.5
CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
23 vulnerabilities found in 17 packages
LOW 16
MEDIUM 5
HIGH 2
CRITICAL 0
I hope this information proves helpful
Following the inclusion of your plugin within a NextFlow (24.04.2) container that I am building, a scan of the container detected an issue with the following packages:
The associated CVE for io.netty is outlined here has been reported to be patched in v4.1.100.Final.
And for ion-java the CVE is here, from the report the current patch may not apply to this vulnerability but it will be worth keeping an eye on/
The vulnerability was reported by Docker Scout v1.8.0.
Would it be possible to apply the relevant patch for this vulnerability in nf-amazon?
Many thanks for your assistance with this.