search

project-copacetic / copacetic

🧵 CLI tool for directly patching container images!
https://project-copacetic.github.io/copacetic/
Apache License 2.0
987 stars 67 forks source link

[BUG] Downloads not the latest version or fixedVersion of the packages #192

Open clma91 opened 1 year ago

clma91 commented 1 year ago

Version of copa

v0.2.0

Expected Behavior

I've expected that the patch applies the latestor at least the highest fixedVersionnumber of a package in case there are a few of the same libraries listed in the patch.json.

Which would update in my case for example:

Actual Behavior

Instead copa seems to update the package to the next version in row.

Error: 5 errors occurred:
        ...
        * downloaded package libwebp version 1.2.3-r1 lower than required 1.3.0-r3 for update
        * downloaded package tiff version 4.4.0-r3 lower than required 4.5.0-r0 for update

Steps To Reproduce

  1. Run trivy 
    root@6f623b4cd7d7:/azp# trivy image --exit-code 0 --format json --output ./patch.json --scanners vuln --vuln-type os --ignore-unfixed --severity "HIGH" some-registry.org/repo/corp-aspnetcore:6.0-alpine
2023-06-21T10:20:54.536Z        INFO    Vulnerability scanning is enabled
2023-06-21T10:20:54.545Z        INFO    Detected OS: alpine
2023-06-21T10:20:54.545Z        INFO    Detecting Alpine vulnerabilities...
  2. Display trivy output 
    root@6f623b4cd7d7:/azp# cat patch.json | jq '.Results[0].Vulnerabilities[] | "\(.PkgID) \(.Severity) \(.CweIDs) \(.Title) \(.InstalledVersion) \(.FixedVersion)"' | sort | uniq
"krb5-libs@1.19.4-r0 HIGH [\"CWE-190\"] integer overflow vulnerabilities in PAC parsing 1.19.4-r0 1.20.1-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-120\"] X.509 Email Address Buffer Overflow 1.1.1t-r0 3.0.7-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-120\"] X.509 Email Address Variable Length Buffer Overflow 1.1.1t-r0 3.0.7-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-295\"] Denial of service by excessive resource usage in verifying X509 policy constraints 1.1.1t-r0 3.1.0-r1"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-404\"] OPENSSL_LH_flush() breaks reuse of memory 1.1.1t-r0 3.0.3-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-415\"] double free after calling PEM_read_bio_ex 1.1.1t-r0 3.0.8-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-416\"] use-after-free following BIO_new_NDEF 1.1.1t-r0 3.0.8-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-476\"] invalid pointer dereference in d2i_PKCS7 functions 1.1.1t-r0 3.0.8-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-476\"] NULL dereference during PKCS7 data verification 1.1.1t-r0 3.0.8-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-476\"] NULL dereference validating DSA public key 1.1.1t-r0 3.0.8-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-476\"] Using a Custom Cipher with NID_undef may lead to NULL encryption 1.1.1t-r0 3.0.6-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-667\"] openssl: double locking leads to denial of service 1.1.1t-r0 3.0.7-r2"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-770\"] Possible DoS translating ASN.1 object identifiers 1.1.1t-r0 3.1.1-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-835\"] openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates 1.1.1t-r0 3.0.2-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-835\"] openssl: invalid handling of X509_verify_cert() internal errors in libssl 1.1.1t-r0 3.0.1-r0"
"libcrypto1.1@1.1.1t-r0 HIGH [\"CWE-843\"] X.400 address type confusion in X.509 GeneralName 1.1.1t-r0 3.0.8-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-120\"] X.509 Email Address Buffer Overflow 1.1.1t-r0 3.0.7-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-120\"] X.509 Email Address Variable Length Buffer Overflow 1.1.1t-r0 3.0.7-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-295\"] Denial of service by excessive resource usage in verifying X509 policy constraints 1.1.1t-r0 3.1.0-r1"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-404\"] OPENSSL_LH_flush() breaks reuse of memory 1.1.1t-r0 3.0.3-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-415\"] double free after calling PEM_read_bio_ex 1.1.1t-r0 3.0.8-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-416\"] use-after-free following BIO_new_NDEF 1.1.1t-r0 3.0.8-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-476\"] invalid pointer dereference in d2i_PKCS7 functions 1.1.1t-r0 3.0.8-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-476\"] NULL dereference during PKCS7 data verification 1.1.1t-r0 3.0.8-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-476\"] NULL dereference validating DSA public key 1.1.1t-r0 3.0.8-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-476\"] Using a Custom Cipher with NID_undef may lead to NULL encryption 1.1.1t-r0 3.0.6-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-667\"] openssl: double locking leads to denial of service 1.1.1t-r0 3.0.7-r2"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-770\"] Possible DoS translating ASN.1 object identifiers 1.1.1t-r0 3.1.1-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-835\"] openssl: Infinite loop in BN_mod_sqrt() reachable when parsing certificates 1.1.1t-r0 3.0.2-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-835\"] openssl: invalid handling of X509_verify_cert() internal errors in libssl 1.1.1t-r0 3.0.1-r0"
"libssl1.1@1.1.1t-r0 HIGH [\"CWE-843\"] X.400 address type confusion in X.509 GeneralName 1.1.1t-r0 3.0.8-r0"
"libwebp@1.2.3-r0 HIGH null Double-free in libwebp 1.2.3-r0 1.3.0-r3"
"tiff@4.4.0-r0 HIGH [\"CWE-189\",\"CWE-190\"] integer overflow in function TIFFReadRGBATileExt of the file 4.4.0-r0 4.5.0-r0"
  3. Apply patch with copa 
    root@6f623b4cd7d7:/azp# copa patch -i some-registry.org/repo/corp-aspnetcore:6.0-alpine -r ./patch.json -t 6.0-alpine-patched
[+] Building 0.1s (8/8) FINISHED
=> docker-image://some-registry.org/repo/corp-aspnetcore:6.0-alpine                                                                                                                                                                                                                                            0.0s
=> => resolve some-registry.org/repo/corp-aspnetcore:6.0-alpine                                                                                                                                                                                                                                                0.0s
=> CACHED apk update                                                                                                                                                                                                                                                                                                   0.0s
=> CACHED apk add --no-cache krb5-libs libcrypto1.1 libssl1.1 libwebp tiff                                                                                                                                                                                                                                             0.0s
=> CACHED apk upgrade --no-cache krb5-libs libcrypto1.1 libssl1.1 libwebp tiff                                                                                                                                                                                                                                         0.0s
=> CACHED mkdir /copa-out                                                                                                                                                                                                                                                                                              0.0s
=> CACHED sh -c apk info --installed -v krb5-libs libcrypto1.1 libssl1.1 libwebp tiff > results.manifest; if [[ $? -ne 0 ]]; then echo "WARN: apk info --installed returned $?"; fi                                                                                                                                    0.0s
=> CACHED diff (apk upgrade --no-cache krb5-libs libcrypto1.1 libssl1.1 libwebp tiff) -> (sh -c apk info --installed -v krb5-libs libcrypto1.1 libssl1.1 libwebp tiff > results.manifest; if [[ $? -ne 0 ]]; then echo "WARN: apk info --installed returned $?"; fi)                                                   0.0s
=> exporting to client directory                                                                                                                                                                                                                                                                                       0.0s
=> => copying files 172B                                                                                                                                                                                                                                                                                               0.0s
ERRO[0000] downloaded package krb5-libs version 1.19.4-r0 lower than required 1.20.1-r0 for update
ERRO[0000] downloaded package libcrypto1.1 version 1.1.1u-r1 lower than required 3.1.1-r0 for update
ERRO[0000] downloaded package libssl1.1 version 1.1.1u-r1 lower than required 3.1.1-r0 for update
ERRO[0000] downloaded package libwebp version 1.2.3-r1 lower than required 1.3.0-r3 for update
ERRO[0000] downloaded package tiff version 4.4.0-r3 lower than required 4.5.0-r0 for update
Error: 5 errors occurred:
    * downloaded package krb5-libs version 1.19.4-r0 lower than required 1.20.1-r0 for update
    * downloaded package libcrypto1.1 version 1.1.1u-r1 lower than required 3.1.1-r0 for update
    * downloaded package libssl1.1 version 1.1.1u-r1 lower than required 3.1.1-r0 for update
    * downloaded package libwebp version 1.2.3-r1 lower than required 1.3.0-r3 for update
    * downloaded package tiff version 4.4.0-r3 lower than required 4.5.0-r0 for update

This does not happen with all our images. Is there anything I'm missing?

Thanks for taking the time to take care of this.

sozercan commented 1 year ago

@clma91 can you post your Dockerfile? do you have edge enabled in alpine?

clma91 commented 1 year ago

@sozercan here is the Dockerfile and yes edge is enabled:

# escape=`

ARG BASE_IMAGE_REGISTRY=some-registry.org
FROM $BASE_IMAGE_REGISTRY/repo/aspnetcore:6.0-alpine

# install certificates
COPY /Docker/Certificates/*.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates

# add apk repos
RUN echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && apk update

# install gdi
RUN apk add --no-cache libgdiplus

# set timezone
RUN apk add --no-cache tzdata
ENV TZ "Europe/Zurich"
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone

# configure cultures
RUN apk add --no-cache icu-libs icu-data-full
ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=false