search

sqitchers / docker-sqitch

Docker Image packaging for Sqitch
MIT License
35 stars 39 forks source link

CVE-2023-36328 with `sqitch/sqitch:latest` #66

Closed skuethe closed 6 days ago

skuethe commented 1 week ago

Hey there,

thank you for this image. Currently our trivy scans block sqitch/sqitch:latest with a fixable critical vulnerability of CVE-2023-36328.

I scanned the upstream image docker.io/library/debian:bookworm-slim but that goes through. I also tried building the image locally to figure out if the vuln is introduced by some RUN command, but I am having some troubles with the build since I am using non-root podman instead of docker and those find .. -delete commands are breaking stuff for me.

My guess it, that using the up-to-date upstream version just fixes this problem. Could you verify and / or release a new version for this?

$ trivy image --severity CRITICAL --ignore-unfixed docker.io/sqitch/sqitch:latest
2024-07-02T09:46:44.591+0200    INFO    Vulnerability scanning is enabled
2024-07-02T09:46:44.591+0200    INFO    Secret scanning is enabled
2024-07-02T09:46:44.591+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T09:46:44.591+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-07-02T09:46:44.654+0200    INFO    Detected OS: debian
2024-07-02T09:46:44.654+0200    INFO    Detecting Debian vulnerabilities...
2024-07-02T09:46:44.682+0200    INFO    Number of language-specific files: 0

docker.io/sqitch/sqitch:latest (debian 12.4)

Total: 1 (CRITICAL: 1)

┌─────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────┐
│   Library   │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                        Title                        │
├─────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────┤
│ libtommath1 │ CVE-2023-36328 │ CRITICAL │ fixed  │ 1.2.0-6           │ 1.2.0-6+deb12u1 │ Integer Overflow vulnerability in mp_grow in libtom │
│             │                │          │        │                   │                 │ libtommath before ...                               │
│             │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-36328          │
└─────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────┘
trivy image --severity CRITICAL --ignore-unfixed docker.io/library/debian:bookworm-slim
2024-07-02T09:46:58.962+0200    INFO    Vulnerability scanning is enabled
2024-07-02T09:46:58.962+0200    INFO    Secret scanning is enabled
2024-07-02T09:46:58.962+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-02T09:46:58.962+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-07-02T09:47:00.204+0200    INFO    Detected OS: debian
2024-07-02T09:47:00.204+0200    INFO    Detecting Debian vulnerabilities...
2024-07-02T09:47:00.207+0200    INFO    Number of language-specific files: 0

docker.io/library/debian:bookworm-slim (debian 12.6)

Total: 0 (CRITICAL: 0)

Thanks, much appreciated!

theory commented 1 week ago

Just pushed v1.4.1.1; let's see how the build goes.

theory commented 1 week ago

Okay, give v1.4.1.1 a try.

theory commented 1 week ago

Looks a lot better.

skuethe commented 6 days ago 
trivy image --severity CRITICAL --ignore-unfixed docker.io/sqitch/sqitch:v1.4.1.1
2024-07-03T08:28:17.204+0200    INFO    Vulnerability scanning is enabled
2024-07-03T08:28:17.204+0200    INFO    Secret scanning is enabled
2024-07-03T08:28:17.204+0200    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-03T08:28:17.204+0200    INFO    Please see also https://aquasecurity.github.io/trivy/v0.50/docs/scanner/secret/#recommendation for faster secret detection
2024-07-03T08:28:20.983+0200    INFO    Detected OS: debian
2024-07-03T08:28:20.983+0200    INFO    Detecting Debian vulnerabilities...
2024-07-03T08:28:21.011+0200    INFO    Number of language-specific files: 0

docker.io/sqitch/sqitch:v1.4.1.1 (debian 12.6)

Total: 0 (CRITICAL: 0)

Thank you for the fast fix! 👍🏽