Open romankurnovskii opened 3 years ago
@romankurnovskii thank you for the issue, can you help us make sense of what was reported (it's unclear at the moment)?
The vulnerabilities you mentioned are vscode plugins which do not actually have the following dependencies:
pug
ruby
perl
handlebars
They are only JSON and TypeScript files which define grammars (syntax highlighting) for the languages.
@romankurnovskii thank you for the issue, can you help us make sense of what was reported (it's unclear at the moment)?
The vulnerabilities you mentioned are vscode plugins which do not actually have the following dependencies:
pug
ruby
perl
handlebars
They are only JSON and TypeScript files which define grammars (syntax highlighting) for the languages.
trying to investigate, i try to implement theia in my environment, i have to check for vulnerabilities this report according snyk
I agree with @vince-fugnitto - it seems that the detection of vulnerability is a bit over-zealous, e.g. apparently assuming that because there's a folder with "perl" in the name, a vulnerable version of Perl is installed.
I think none of the reported vulnerability actually has the corresponding tools installed in the theia-ide/theia
image. But I think we do bundle some of the tools in other images (e.g. I think we have Ruby in the full
image). It remains to be seen if what we bundle is a vulnerable version.
TL;DR I think these are false-positives
For example, the Perl item:
Impacted Image File(s): /home/theia/plugins/vscode-builtin-perl/extension
That built-in Perl extension contains almost nothing, and certainly not Perl itself. It's built from these sources:
https://github.com/microsoft/vscode/tree/main/extensions/perl
guys, give advice please about these too (same image):
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Integer Overflow or Wraparound
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1075738
Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.5-r0, libtls-standalone/libtls-standalone@2.9.1-r0, ca-certificates/ca-certificates@20191127-r2, curl/libcurl@7.67.0-r3, openssh/openssh-client@8.1_p1-r0, openssh/openssh-server@8.1_p1-r0, openssh/openssh-sftp-server@8.1_p1-r0, openssh/openssh@8.1_p1-r0, openssh/openssh-keygen@8.1_p1-r0
From: openssl/libcrypto1.1@1.1.1g-r0
From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
From: apk-tools/apk-tools@2.10.5-r0 > openssl/libcrypto1.1@1.1.1g-r0
and 12 more...
Image layer: '/bin/sh -c apk add --no-cache git openssh bash'
Fixed in: 1.1.1j-r0
✗ High severity vulnerability found in openssl/libcrypto1.1
Description: Improper Certificate Validation
Info: https://snyk.io/vuln/SNYK-ALPINE311-OPENSSL-1089242
Introduced through: openssl/libcrypto1.1@1.1.1g-r0, openssl/libssl1.1@1.1.1g-r0, apk-tools/apk-tools@2.10.5-r0, libtls-standalone/libtls-standalone@2.9.1-r0, ca-certificates/ca-certificates@20191127-r2, curl/libcurl@7.67.0-r3, openssh/openssh-client@8.1_p1-r0, openssh/openssh-server@8.1_p1-r0, openssh/openssh-sftp-server@8.1_p1-r0, openssh/openssh@8.1_p1-r0, openssh/openssh-keygen@8.1_p1-r0
From: openssl/libcrypto1.1@1.1.1g-r0
From: openssl/libssl1.1@1.1.1g-r0 > openssl/libcrypto1.1@1.1.1g-r0
From: apk-tools/apk-tools@2.10.5-r0 > openssl/libcrypto1.1@1.1.1g-r0
and 12 more...
Image layer: '/bin/sh -c apk add --no-cache git openssh bash'
Fixed in: 1.1.1k-r0
✗ High severity vulnerability found in gcc/libstdc++
Description: Insufficient Entropy
Info: https://snyk.io/vuln/SNYK-ALPINE311-GCC-598616
Introduced through: gcc/libstdc++@9.2.0-r4, gcc/libgcc@9.2.0-r4
From: gcc/libstdc++@9.2.0-r4
From: gcc/libgcc@9.2.0-r4 > gcc/libstdc++@9.2.0-r4
From: gcc/libgcc@9.2.0-r4
Fixed in: 9.3.0-r0
✗ High severity vulnerability found in busybox/busybox
Description: Improper Handling of Exceptional Conditions
Info: https://snyk.io/vuln/SNYK-ALPINE311-BUSYBOX-1090152
Introduced through: busybox/busybox@1.31.1-r9, alpine-baselayout/alpine-baselayout@3.2.0-r3, bash/bash@5.0.11-r1, ca-certificates/ca-certificates@20191127-r2, busybox/ssl_client@1.31.1-r9
From: busybox/busybox@1.31.1-r9
From: alpine-baselayout/alpine-baselayout@3.2.0-r3 > busybox/busybox@1.31.1-r9
From: bash/bash@5.0.11-r1 > busybox/busybox@1.31.1-r9
and 2 more...
Image layer: '/bin/sh -c apk add --no-cache git openssh bash'
Fixed in: 1.31.1-r10
I think these are all related to alpine
packaged software, installed directly or indirectly in the theia-docker Dockerfile.
The node version we target determines the version of alpine
-based node
image we start FROM.
That's the only "control" we have to play-with. The software installed from alpine
packages, using apk
, gives no control over the version that will be installed. E.g.:
RUN apk add --no-cache git openssh bash
So I think the only thing we could try is to step-up the node version to a later 12.x
, that we can hope will come with an apk
software repository that has updated software, patched for the above vulnerabilities. Failing that, we can hope this will be fixed when we eventually switch to node 14.x - but that needs to wait until Eclipse Theia does.
PRs welcome.
There is an alternative: we have example images in this repo that do not consume the node
docker image, that's the ultimate source of the vulnerable alpine
packaged software. I believe that ubuntu
repositories actively patch vulnerable software, so that when we rebuild an image, we would get up-to-date, secure software. At least momentarily.
For example, this image could be used as inspiration, instead: https://github.com/theia-ide/theia-apps/blob/master/theia-cpp-docker/Dockerfile
BTW, these images we have in this repo are only maintained as examples, probably not suited for production use.