Closed praveen-em closed 2 years ago
Thanks for raising (and also for your kind donation!).
@bethesque should we back port the scanners we use in Pactflow here also perhaps?
We already do scan with the same tool Pactflow does - trivy
https://github.com/pact-foundation/pact-broker-docker/blob/master/script/release-workflow/run.sh#L16
Looks like most of them can be fixed by upgrading to latest libraries.
There are 12 high vulnerabilities, of which only 3 have a fix version.
I could be wrong, but a some of these appear on first glance to be false positives.
Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 1 of 2).
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
I don't know of any Go installation on the docker image, so these ones are a surprise to me. Maybe it's on the base Alpine image?
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.
There is no NPM or JS installed on the image.
We already do scan with the same tool Pactflow does - trivy
https://github.com/pact-foundation/pact-broker-docker/blob/master/script/release-workflow/run.sh#L16
Ah so it does, sorry Beth I took a quick loock on mobile but obviously missed it.
The other day I enabled Snyk as well, and this is the only vulnerability it has picked up. There's no fix for this one yet, but it seems it's only relevant if there's a content proxy caching things in the middle.
I've updated bundler to 2.2.10 - that should make 2 of the highs go away. I don't think we can do anything about any of the others as there's no fix version available for the alpine ones, and the others seem to be false positives to me (go and npm vulnerabilities).
Thanks @bethesque and @mefellows for your super fast responses and the new release with new version of bundler.
You're welcome. I'm going to close this issue as I don't think there is anything we can do about the other vulnerabilities found.
Pre issue-raising checklist
I have already (please mark the applicable with an
x
):Software versions
Expected behaviour
No security vulnerabilities in the image.
Actual behaviour
JFrog's XRay scanner blocks the image because of security vulnerabilities (see attached list). Looks like most of them can be fixed by upgrading to latest libraries. I could give it a try if it was java but I am not very close to Ruby. So, leaving it to experts in the community to take a look.
Docker_pactfoundation-pact-broker-2.87.0.2_Security_Export.pdf
Steps to reproduce
NA
Relevent log files
NA