search

zowe / api-layer

The API Mediation Layer provides a single point of access for mainframe service REST APIs.
Eclipse Public License 2.0
54 stars 62 forks source link

Limit the ability of the integration testing containers to craft raw network packets #3229

Open balhar-jakub opened 9 months ago

balhar-jakub commented 9 months ago

Analysis

The containers actually created and used are used only for potential development. As such the risk is very limited.

Description

The Docker container requests the NET_RAW capability, either explicitly or by default, granting access to the host's network interfaces.

Related To CWE-269 Broken Access Control Insecure Design 2020 CWE On the Cusp 2021 OWASP Top 10 2017 OWASP Top 10 PCI DSS 2018 2019 CWE Top 25 2020 CWE Top 25 3 Technical Risk Indicators

Domain SAST

Tool Coverity 2022.6.0

Run Coverity Sep 13, 2022, 10:29 AM

Severity H High

Affected: api-layer/docker/*/docker-compose.yml (all yml docker files)

Recommended fix:

docker-compose.yml

        image: ghcr.io/zowe/api-catalog-services:latest
        volumes:
            - ../../config/docker/api-defs-shared:/api-defs

    api-catalog-services-2:

1. The Docker container requests the `NET_RAW` capability, either explicitly or by default, granting access to the host's network interfaces.
2. Explicitly remove the `NET_RAW` capability by adding either `NET_RAW` or `ALL` to the `cap_drop` list and avoiding the `NET_RAW` capability in the `cap_add` list.

        image: ghcr.io/zowe/api-catalog-services:latest
        volumes:
github-actions[bot] commented 6 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

github-actions[bot] commented 5 months ago

This issue has been automatically closed due to lack of activity. If you disagree, please comment on reason why and reopen the issue