search

wmo-im / wis2box

WIS2 in a box is a reference implementation of a WMO WIS2 Node
https://docs.wis2box.wis.wmo.int
Apache License 2.0
41 stars 16 forks source link

add security scanners for containers #652

Open tomkralidis opened 7 months ago

tomkralidis commented 7 months ago

Add trivy via GitHub Actions in order to scan containers for vulnerabilities.

maaikelimper commented 5 months ago

I ran trivy on the wis2box-api, it found one issue with severity=HIGH https://github.com/wmo-im/wis2box-api/actions/runs/9615735356/job/26523621849

maaikelimper commented 5 months ago

question: should the GHA only fail on severity=CRITICAL ?

tomkralidis commented 5 months ago
  1. can we update wmo-im/dim_eccodes_baseimage to 22.04 ?
  2. we should be checking for severity: CRITICAL,HIGH
maaikelimper commented 5 months ago

Add trivy.yml to PR: https://github.com/wmo-im/wis2box/pull/699

wis2box-management passes

wis2box-api, wis2box-ui and wis2box-webapp fail

image

maaikelimper commented 5 months ago

@tomkralidis how to proceed ?

tomkralidis commented 5 months ago
maaikelimper commented 5 months ago

after updating dim_eccodes_baseimage to use Ubuntu 22.04, wis2box-api now passes the vulnerability scan: image

tomkralidis commented 4 months ago

2024-07-24:

tomkralidis commented 3 months ago

2024-08-14:

maaikelimper commented 1 month ago

This task is quite difficult due to the many images and upstream dependencies.

Certain packages have no active developers like wis2box-ui, for which the node-version in the base-image needs to be updated, which I'm hesitant to do as there is a high risk of additional work required when doing so due to downstream dependencies.

New vulnerabilities can be discovered over time, so we would require contineous updates to make this security scanner pass.

Each vulnerability found needs to be carefully studied as many do not appear to be relevant as actual security concerns as they depend on specific features that we may not use.

https://avd.aquasec.com/nvd/2024/cve-2024-24790/

The scan itself regularly fails with the error:

INFO    Downloading DB...   repository="ghcr.io/aquasecurity/trivy-db:2"
FATAL   Fatal error init error: DB error: failed to download vulnerability DB: database download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:87e047864d32eef3ebb29deeaf1ed1167cfa4a1c6f0eeda8feb904ef5e1a66c7: TOOMANYREQUESTS: retry-after: 262.796µs, allowed: 44000/minute

A manual re-run often works around this, but it has to be noted that adding this GitHub-action will introduce significant additional work for developers for each new PR to pass this test.

maaikelimper commented 4 weeks ago

In order to make this task more manageable I will add the trivvy-scans (and resolve vulnerabilities) to images build outside of this repo, namely: wis2box-api wis2box-ui wisb2ox-webapp

Then I can reduce the number of trivvy-scans required to be added in this repo

maaikelimper commented 3 weeks ago

FYI, I found a workaround for the TOOMANYREQUESTS issue by setting a different TRIVY_DB_REPOSITORY in the env

tomkralidis commented 3 weeks ago

FYI we will need a trivy GHA setup for https://github.com/wmo-im/wis2box-auth as well.