search

pact-foundation / pact-ruby-cli

Amalgamated Pact Ruby CLI
https://pact.io
MIT License
12 stars 15 forks source link

Docker image pactfoundation/pact-cli:0.51.0.0 has high and critical vulnerabilities #91

Closed j3rrywan9 closed 1 year ago

j3rrywan9 commented 1 year ago

When running a security scan with the https://github.com/aquasecurity/trivy tool with the following command:

trivy image --severity HIGH,CRITICAL pactfoundation/pact-cli:0.51.0.0

It returns the following HIGH and CRITICAL vulnerabilities:

2023-02-27T08:11:34.097-0800    INFO    Need to update DB
2023-02-27T08:11:34.098-0800    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-02-27T08:11:34.098-0800    INFO    Downloading DB...
35.79 MiB / 35.79 MiB [---------------------------------------------------------------------------------------------------------------------------------] 100.00% 14.70 MiB p/s 2.6s
2023-02-27T08:11:38.615-0800    INFO    Vulnerability scanning is enabled
2023-02-27T08:11:38.616-0800    INFO    Secret scanning is enabled
2023-02-27T08:11:38.616-0800    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-27T08:11:38.616-0800    INFO    Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-27T08:11:38.657-0800    INFO    Detected OS: alpine
2023-02-27T08:11:38.657-0800    INFO    Detecting Alpine vulnerabilities...
2023-02-27T08:11:38.662-0800    INFO    Number of language-specific files: 3
2023-02-27T08:11:38.662-0800    INFO    Detecting cargo vulnerabilities...
2023-02-27T08:11:38.663-0800    INFO    Detecting gemspec vulnerabilities...

pactfoundation/pact-cli:0.51.0.0 (alpine 3.15.6)

Total: 17 (HIGH: 13, CRITICAL: 4)

┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ expat        │ CVE-2022-43680 │ HIGH     │ 2.4.9-r0          │ 2.5.0-r0      │ expat: use-after free caused by overeager destruction of a │
│              │                │          │                   │               │ shared DTD in...                                           │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-43680                 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ git          │ CVE-2022-23521 │ CRITICAL │ 2.34.4-r0         │ 2.34.6-r0     │ Git is distributed revision control system. gitattributes  │
│              │                │          │                   │               │ are a mechan ...                                           │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-23521                 │
│              ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-41903 │          │                   │               │ Git is distributed revision control system. `git log` can  │
│              │                │          │                   │               │ display comm ......                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41903                 │
│              ├────────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2022-39260 │ HIGH     │                   │ 2.34.5-r0     │ git: git shell function that splits command arguments can  │
│              │                │          │                   │               │ lead to arbitrary...                                       │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-39260                 │
│              ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2023-23946 │          │                   │ 2.34.7-r0     │ Git, a revision control system, is vulnerable to path      │
│              │                │          │                   │               │ traversal prior ...                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-23946                 │
├──────────────┼────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-4450  │          │ 1.1.1q-r0         │ 1.1.1t-r0     │ The function PEM_read_bio_ex() reads a PEM file from a BIO │
│              │                │          │                   │               │ and parses...                                              │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │                   │               │ The public API function BIO_new_NDEF is a helper function  │
│              │                │          │                   │               │ used for str...                                            │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │                   │               │ There is a type confusion vulnerability relating to X.400  │
│              │                │          │                   │               │ address proc ......                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libcurl      │ CVE-2022-32221 │ CRITICAL │ 7.80.0-r3         │ 7.80.0-r4     │ curl: POST following PUT confusion                         │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-32221                 │
│              ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-42915 │          │                   │               │ curl: HTTP proxy double-free                               │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-42915                 │
│              ├────────────────┼──────────┤                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2022-42916 │ HIGH     │                   │               │ curl: HSTS bypass via IDN                                  │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-42916                 │
│              ├────────────────┤          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│              │ CVE-2022-43551 │          │                   │ 7.80.0-r5     │ curl: HSTS bypass via IDN                                  │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-43551                 │
├──────────────┼────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libssl1.1    │ CVE-2022-4450  │          │ 1.1.1q-r0         │ 1.1.1t-r0     │ The function PEM_read_bio_ex() reads a PEM file from a BIO │
│              │                │          │                   │               │ and parses...                                              │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-4450                  │
│              ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0215  │          │                   │               │ The public API function BIO_new_NDEF is a helper function  │
│              │                │          │                   │               │ used for str...                                            │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0215                  │
│              ├────────────────┤          │                   │               ├────────────────────────────────────────────────────────────┤
│              │ CVE-2023-0286  │          │                   │               │ There is a type confusion vulnerability relating to X.400  │
│              │                │          │                   │               │ address proc ......                                        │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-0286                  │
├──────────────┼────────────────┤          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ ruby         │ CVE-2021-33621 │          │ 3.0.4-r0          │ 3.0.5-r0      │ ruby/cgi-gem: HTTP response splitting in CGI               │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-33621                 │
├──────────────┤                │          │                   │               │                                                            │
│ ruby-libs    │                │          │                   │               │                                                            │
│              │                │          │                   │               │                                                            │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘
2023-02-27T08:11:38.677-0800    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Ruby (gemspec)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌───────────────────────────┬────────────────┬──────────┬───────────────────┬──────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability  │ Severity │ Installed Version │                      Fixed Version                       │                           Title                            │
├───────────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ rack (rack-2.2.4.gemspec) │ CVE-2022-44570 │ HIGH     │ 2.2.4             │ ~> 2.0.9, >= 2.0.9.2, ~> 2.1.4, >= 2.1.4.2, ~> 2.2.6, >= │ A denial of service vulnerability in the Range header      │
│                           │                │          │                   │ 2.2.6.2, >= 3.0.4.1                                      │ parsing componen ......                                    │
│                           │                │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-44570                 │
│                           ├────────────────┤          │                   ├──────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2022-44571 │          │                   │ ~> 2.0.9, >= 2.0.9.2, ~> 2.1.4, >= 2.1.4.2, ~> 2.2.6, >= │ There is a denial of service vulnerability in the          │
│                           │                │          │                   │ 2.2.6.1, >= 3.0.4.1                                      │ Content-Disposition ......                                 │
│                           │                │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-44571                 │
│                           ├────────────────┤          │                   │                                                          ├────────────────────────────────────────────────────────────┤
│                           │ CVE-2022-44572 │          │                   │                                                          │ A denial of service vulnerability in the multipart parsing │
│                           │                │          │                   │                                                          │ component o ......                                         │
│                           │                │          │                   │                                                          │ https://avd.aquasec.com/nvd/cve-2022-44572                 │
└───────────────────────────┴────────────────┴──────────┴───────────────────┴──────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘

Could you address these in the pact-cli image?

github-actions[bot] commented 1 year ago

👋 Hi! The 'smartbear-supported' label has just been added to this issue, which will create an internal tracking ticket in PactFlow's Jira (PACT-826). We will use this to prioritise and assign a team member to this task. All activity will be public on this ticket. For now, sit tight and we'll update this ticket once we have more information on the next steps.

See our documentation for more information.

bethesque commented 1 year ago

Please re-scan and let us know if there are outstanding issues.

j3rrywan9 commented 1 year ago

@bethesque I can confirm that there is 0 CVE detected with the latest tag. Thanks for the fix!

bethesque commented 1 year ago

Phew! Great to hear. Thanks @vwong!