search

shaarli / Shaarli

The personal, minimalist, super-fast, database free, bookmarking service - community repo
https://shaarli.readthedocs.io/
Other
3.41k stars 291 forks source link

CI: Build/push Docker image (master/latest): failed (medium-level vulnerability in base alpine 3.16 image) #2013

Closed nodiscc closed 1 year ago

nodiscc commented 1 year ago

Ref. https://github.com/shaarli/Shaarli/actions/runs/5727352782/job/15519576105


Run make test_trivy_docker TRIVY_TARGET_DOCKER_IMAGE=ghcr.io/***:latest
wget --quiet --continue -O trivy_0.44.0_Linux-64bit.tar.gz https://github.com/aquasecurity/trivy/releases/download/v0.44.0/trivy_0.44.0_Linux-64bit.tar.gz
tar -z -x trivy -f trivy_0.44.0_Linux-64bit.tar.gz
./trivy --exit-code 1 image ghcr.io/***:latest
2023-08-01T13:31:23.532Z    INFO    Need to update DB
2023-08-01T13:31:23.532Z    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-08-01T13:31:23.532Z    INFO    Downloading DB...
21.40 MiB / 38.58 MiB [--------------------------------->___________________________] 55.48% ? p/s ?38.58 MiB / 38.58 MiB [----------------------------------------------------------->] 100.00% ? p/s ?38.58 MiB / 38.58 MiB [----------------------------------------------------------->] 100.00% ? p/s ?38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 28.62 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 28.62 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 28.62 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 26.78 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [---------------------------------------------->] 100.00% 25.05 MiB p/s ETA 0s38.58 MiB / 38.58 MiB [-------------------------------------------------] 100.00% 21.10 MiB p/s 2.0s2023-08-01T13:31:25.954Z    INFO    Vulnerability scanning is enabled
2023-08-01T13:31:25.954Z    INFO    Secret scanning is enabled
2023-08-01T13:31:25.954Z    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-01T13:31:25.954Z    INFO    Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
2023-08-01T13:31:33.652Z    INFO    Detected OS: alpine
2023-08-01T13:31:33.652Z    INFO    Detecting Alpine vulnerabilities...
2023-08-01T13:31:33.660Z    INFO    Number of language-specific files: 1
2023-08-01T13:31:33.660Z    INFO    Detecting composer vulnerabilities...

ghcr.io/***:latest (alpine 3.16.6)
==============================================
Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌──────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                        Title                         │
├──────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2023-3446 │ MEDIUM   │ fixed  │ 1.1.1u-r1         │ 1.1.1u-r2     │ Excessive time spent checking DH keys and parameters │
│              │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446            │
├──────────────┤               │          │        │                   │               │                                                      │
│ libssl1.1    │               │          │        │                   │               │                                                      │
│              │               │          │        │                   │               │                                                      │
└──────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────┘
make: *** [Makefile:210: test_trivy_docker] Error 1
Error: Process completed with exit code 2.```
nodiscc commented 1 year ago

The correct solution would be to update the base alpine image to 3.17 or 3.18 (https://hub.docker.com/_/alpine/).

I don't use the docker deployment method, so if someone is willing to rebuild/test an alpine:3.18-based image and send a Pull Request, I would merge it.

nodiscc commented 1 year ago

The alpine:3.16 base image now points to alpine:3.16.7 which no longer has these vulnerabilities. https://github.com/shaarli/Shaarli/actions/runs/5911196280/job/16033493409#step:10:20

We should still consider upgrading the base image to 3.17 or 3.18.

Closing as the initial problem is now resolved.