Security vulnerabilities

[praveen-em]

Pre issue-raising checklist

I have already (please mark the applicable with an x):

• [x] Confirmed this is the right place to raise the issue - only issues related to the Dockerization of the Pact Broker should be raised here. Issues related to the Pact Broker application itself should be raised in the Pact Broker project.
• [x] Upgraded to the latest Pact Broker Docker image OR
• [ ] Checked the CHANGELOG to see if the issue I am about to raise has been fixed
• [ ] Read the Troubleshooting page

Software versions

• pact-broker docker version: 2.87.0.2

Expected behaviour

No security vulnerabilities in the image.

Actual behaviour

JFrog's XRay scanner blocks the image because of security vulnerabilities (see attached list). Looks like most of them can be fixed by upgrading to latest libraries. I could give it a try if it was java but I am not very close to Ruby. So, leaving it to experts in the community to take a look.

Docker_pactfoundation-pact-broker-2.87.0.2_Security_Export.pdf

Steps to reproduce

NA

Relevent log files

NA

[mefellows]

Thanks for raising (and also for your kind donation!).

@bethesque should we back port the scanners we use in Pactflow here also perhaps?

[bethesque]

We already do scan with the same tool Pactflow does - trivy

https://github.com/pact-foundation/pact-broker-docker/blob/master/script/release-workflow/run.sh#L16

[bethesque]

Looks like most of them can be fixed by upgrading to latest libraries.

There are 12 high vulnerabilities, of which only 3 have a fix version.

I could be wrong, but a some of these appear on first glance to be false positives.

Go before 1.15.12 and 1.16.x before 1.16.5 attempts to allocate excessive memory (issue 1 of 2).

encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.

I don't know of any Go installation on the docker image, so these ones are a surprise to me. Maybe it's on the base Alpine image?

URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.

There is no NPM or JS installed on the image.

[mefellows]

We already do scan with the same tool Pactflow does - trivy

https://github.com/pact-foundation/pact-broker-docker/blob/master/script/release-workflow/run.sh#L16

Ah so it does, sorry Beth I took a quick loock on mobile but obviously missed it.

[bethesque]

The other day I enabled Snyk as well, and this is the only vulnerability it has picked up. There's no fix for this one yet, but it seems it's only relevant if there's a content proxy caching things in the middle.

[bethesque]

I've updated bundler to 2.2.10 - that should make 2 of the highs go away. I don't think we can do anything about any of the others as there's no fix version available for the alpine ones, and the others seem to be false positives to me (go and npm vulnerabilities).

[praveen-em]

Thanks @bethesque and @mefellows for your super fast responses and the new release with new version of bundler.

[bethesque]

You're welcome. I'm going to close this issue as I don't think there is anything we can do about the other vulnerabilities found.