Closed JorritSalverda closed 4 years ago
bethesque
commented
4 years ago Some of them are actually quite hard to fix because they come in the underlying Alpine Ruby image. I had to do a similar fix on the Pact Broker image recently though, so I should be able to get it done.
bethesque
commented
4 years ago Ok, I had a look at this. This is one of the images we're putting ruby on to ourselves (not alpine ruby, as I thought it was), so I thought that would make things easier. But as you can see, the rake version required is rake (13.0.1), and json is 2.3.1.
https://github.com/pact-foundation/pact-ruby-cli/blob/master/Gemfile.lock#L88
The scanning tool is picking up false positives.
bethesque
commented
4 years ago I had a thought - I've just deleted the Gemfile.lock files from the gem directories, and pushed an experimental image. See what your tool thinks of pactfoundation/pact-cli:edge
JorritSalverda
commented
4 years ago Running
$ trivy --severity CRITICAL pactfoundation/pact-cli:edgeUnfortunately still returns
2020-09-15T10:29:07.660+0200 INFO Need to update DB
2020-09-15T10:29:07.672+0200 INFO Downloading DB...
18.51 MiB / 18.51 MiB [---------------------------------------------------------------------------------------------] 100.00% 5.52 MiB p/s 4s
2020-09-15T10:29:21.020+0200 INFO Detecting Alpine vulnerabilities...
2020-09-15T10:29:21.022+0200 INFO Detecting ruby vulnerabilities...
2020-09-15T10:29:21.035+0200 INFO Detecting ruby vulnerabilities...
2020-09-15T10:29:21.046+0200 INFO Detecting ruby vulnerabilities...
2020-09-15T10:29:21.046+0200 INFO Detecting ruby vulnerabilities...
pactfoundation/pact-cli:edge (alpine 3.9.3)
===========================================
Total: 0 (CRITICAL: 0)
pact/Gemfile.lock
=================
Total: 0 (CRITICAL: 0)
usr/lib/ruby/gems/2.5.0/gems/awesome_print-1.8.0/Gemfile.lock
=============================================================
Total: 1 (CRITICAL: 1)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| rake | CVE-2020-8130 | CRITICAL | 12.0.0 | 12.3.3 | rake: OS Command Injection via |
| | | | | | egrep in Rake::FileList |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
usr/lib/ruby/gems/2.5.0/gems/find_a_port-1.0.1/Gemfile.lock
===========================================================
Total: 2 (CRITICAL: 2)
+---------+------------------+----------+-------------------+---------------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------------+--------------------------------+
| json | CVE-2013-0269 | CRITICAL | 1.7.3 | 1.7.7, 1.6.8, 1.5.5 | rubygem-json: Denial of |
| | | | | | Service and SQL Injection |
+---------+------------------+ +-------------------+---------------------+--------------------------------+
| rake | CVE-2020-8130 | | 0.9.2-2 | 12.3.3 | rake: OS Command Injection via |
| | | | | | egrep in Rake::FileList |
+---------+------------------+----------+-------------------+---------------------+--------------------------------+
usr/lib/ruby/gems/2.5.0/gems/rack-proxy-0.6.5/Gemfile.lock
==========================================================
Total: 1 (CRITICAL: 1)
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+---------+------------------+----------+-------------------+---------------+--------------------------------+
| rake | CVE-2020-8130 | CRITICAL | 0.9.2-2 | 12.3.3 | rake: OS Command Injection via |
| | | | | | egrep in Rake::FileList |
+---------+------------------+----------+-------------------+---------------+--------------------------------+I doesn't really help that packages like find_a_port haven't had any updates since 2012, so they're unlikely to roll out a fix for this. I don't know Ruby well enough to figure out if you can bump a dependency of a package to a higher version easily (if it's at least drop in compatible).
bethesque
commented
4 years ago Ok, I'm an idiot. I put the Gemfile.lock clearing on the wrong line. I've pushed a new version to pactfoundation/pact-cli:edge. Can you run the scan on it again please?
$ docker run --rm -it --entrypoint sh pactfoundation/pact-cli:edge
/pact # cd ..
/ # find . -name Gemfile.lock
./pact/Gemfile.lockWoop woop, it fixes the CRITICAL vulnerabilities!
$ trivy --severity CRITICAL pactfoundation/pact-cli:edge
2020-09-16T10:42:22.221+0200 INFO Need to update DB
2020-09-16T10:42:22.257+0200 INFO Downloading DB...
18.51 MiB / 18.51 MiB [---------------------------------------------------------------------------------------------] 100.00% 5.10 MiB p/s 4s
2020-09-16T10:42:31.788+0200 INFO Detecting Alpine vulnerabilities...
2020-09-16T10:42:31.805+0200 INFO Detecting ruby vulnerabilities...
pactfoundation/pact-cli:edge (alpine 3.9.3)
===========================================
Total: 0 (CRITICAL: 0)
pact/Gemfile.lock
=================
Total: 0 (CRITICAL: 0)There's still some medium ones - seen if you run without the --severity flag - which can probably fixed by using latest alpine, but perhaps that's something to tackle separately from this issue?
Thanks for looking into this. As what version do you expect this to be released?
bethesque
commented
4 years ago I've upgraded alpine, and that pulls in ruby 2.7 and bundler 2.1.4. It's out with tag 0.15.0.1. What does the scanner say?
JorritSalverda
commented
4 years ago Hi Beth, it's now free of any level of vulnerability!
By the way, getting Trivy on your own machine is as simple as running brew install aquasecurity/trivy/trivy if you happen to be on a Mac and use Homebrew.
Thanks for addressing this issue.
bethesque
commented
4 years ago Would you be interested in adding trivy to the Github Actions build so we can keep it vulnerability free? Looks like they've done all the hard work here already: https://github.com/aquasecurity/trivy#github-actions
When running a security scan with the https://github.com/aquasecurity/trivy tool with the following command:
It returns the following CRITICAL vulnerabilities:
These are pretty hard to fix in any inheriting image. Could you address these in the cli image?