-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ci): add Docker Scout vulnerabilities scanning #8871
Conversation
Need a workaround for: docker/scout-action#16 |
🔍 Vulnerabilities of
|
digest | sha256:d4f9be543302575ccca3903731fb4495eb349d67e2d8b5d228b1a1ad1eaaf4d5 |
vulnerabilities | |
size | 106 MB |
packages | 114 |
📦 Base Image debian:12-slim
also known as |
|
digest | sha256:903d3225acecaa272bbdd7273c6c312c2af8b73644058838d23a8c9e6e5c82cf |
vulnerabilities |
stdlib
|
Affected range | <1.21.11 |
Fixed version | 1.21.11 |
EPSS Score | 0.06% |
EPSS Percentile | 28th percentile |
Description
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms.
Affected range | <1.19.9 |
Fixed version | 1.19.9 |
EPSS Score | 0.26% |
EPSS Percentile | 66th percentile |
Description
Not all valid JavaScript whitespace characters are considered to be whitespace. Templates containing whitespace characters outside of the character set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain actions may not be properly sanitized during execution.
Affected range | <1.19.10 |
Fixed version | 1.19.10 |
EPSS Score | 0.08% |
EPSS Percentile | 35th percentile |
Description
On Unix platforms, the Go runtime does not behave differently when a binary is run with the setuid/setgid bits. This can be dangerous in certain cases, such as when dumping memory state, or assuming the status of standard i/o file descriptors.
If a setuid/setgid binary is executed with standard I/O file descriptors closed, opening any files can result in unexpected content being read or written with elevated privileges. Similarly, if a setuid/setgid program is terminated, either via panic or signal, it may leak the contents of its registers.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.21.12 |
Fixed version | 1.21.12 |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.
An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.
Affected range | <1.21.8 |
Fixed version | 1.21.8 |
EPSS Score | 0.04% |
EPSS Percentile | 11th percentile |
Description
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers.
Affected range | <1.21.9 |
Fixed version | 1.21.9 |
EPSS Score | 0.04% |
EPSS Percentile | 14th percentile |
Description
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames.
Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed.
This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send.
The fix sets a limit on the amount of excess header frames we will process before closing a connection.
Affected range | <1.20.0 |
Fixed version | 1.20.0 |
EPSS Score | 0.07% |
EPSS Percentile | 32nd percentile |
Description
Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits.
In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Affected range | <1.20.11 |
Fixed version | 1.20.11 |
EPSS Score | 0.10% |
EPSS Percentile | 42nd percentile |
Description
The filepath package does not recognize paths with a ??\ prefix as special.
On Windows, a path beginning with ??\ is a Root Local Device path equivalent to a path beginning with \?. Paths with a ??\ prefix may be used to access arbitrary locations on the system. For example, the path ??\c:\x is equivalent to the more common path c:\x.
Before fix, Clean could convert a rooted path such as \a..??\b into the root local device path ??\b. Clean will now convert this to .??\b.
Similarly, Join(, ??, b) could convert a seemingly innocent sequence of path elements into the root local device path ??\b. Join will now convert this to .??\b.
In addition, with fix, IsAbs now correctly reports paths beginning with ??\ as absolute, and VolumeName correctly reports the ??\ prefix as a volume name.
UPDATE: Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the volume name in Windows paths starting with ?, resulting in filepath.Clean(?\c:) returning ?\c: rather than ?\c:\ (among other effects). The previous behavior has been restored.
Affected range | <1.20.10 |
Fixed version | 1.20.10 |
EPSS Score | 81.33% |
EPSS Percentile | 98th percentile |
Description
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Affected range | <1.20.10 |
Fixed version | 1.20.10 |
EPSS Score | 0.25% |
EPSS Percentile | 65th percentile |
Description
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing.
With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function.
Affected range | <1.22.7 |
Fixed version | 1.22.7 |
EPSS Score | 0.19% |
EPSS Percentile | 56th percentile |
Description
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
Affected range | <1.19.9 |
Fixed version | 1.19.9 |
EPSS Score | 0.14% |
EPSS Percentile | 50th percentile |
Description
Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}") executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags.
Affected range | <1.19.9 |
Fixed version | 1.19.9 |
EPSS Score | 0.14% |
EPSS Percentile | 50th percentile |
Description
Angle brackets (<>) are not considered dangerous characters when inserted into CSS contexts. Templates containing multiple actions separated by a '/' character can result in unexpectedly closing the CSS context and allowing for injection of unexpected HTML, if executed with untrusted input.
Overview
Environment Variables (1 changes)
+APP_HOME=/opt/zebrad
FEATURES=default-release-binaries
GID=10001
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
UID=10001
USER=zebra
ZEBRA_CONF_DIR=/etc/zebrad
ZEBRA_CONF_FILE=zebrad.toml Labels (3 changes)
-org.opencontainers.image.created=2024-08-28T12:08:34.422Z
+org.opencontainers.image.created=2024-09-19T11:30:03.656Z
org.opencontainers.image.description=Zcash - Financial Privacy in Rust 🦓
org.opencontainers.image.licenses=Apache-2.0
-org.opencontainers.image.revision=bf4d253897bb3d67cecea6e73562cbe111e2b7f2
+org.opencontainers.image.revision=6dbc86e75e4c2c61cdc96bb9e0e690a5fcfc5243
org.opencontainers.image.source=https://github.com/ZcashFoundation/zebra
org.opencontainers.image.title=zebra
org.opencontainers.image.url=https://github.com/ZcashFoundation/zebra
-org.opencontainers.image.version=1.9.0
+org.opencontainers.image.version=pr-8871 Packages and Vulnerabilities (9 package changes and 0 vulnerability changes)
Changes for packages of type
|
Package | Versionzfnd/zebra:latest |
Versionus-docker.pkg.dev/zfnd-dev-zebra/zebra/zebrad:pr-8871 |
|
---|---|---|---|
♾️ | base-files | 12.4+deb12u6 |
12.4+deb12u7 |
♾️ | curl | 7.88.1-10+deb12u6 |
7.88.1-10+deb12u7 |
♾️ | libc-bin | 2.36-9+deb12u7 |
2.36-9+deb12u8 |
♾️ | libc6 | 2.36-9+deb12u7 |
2.36-9+deb12u8 |
♾️ | libcurl4 | 7.88.1-10+deb12u6 |
7.88.1-10+deb12u7 |
♾️ | libssl3 | 3.0.13-1~deb12u1 |
3.0.14-1~deb12u2 |
♾️ | libsystemd0 | 252.26-1~deb12u2 |
252.30-1~deb12u2 |
♾️ | libudev1 | 252.26-1~deb12u2 |
252.30-1~deb12u2 |
♾️ | openssl | 3.0.13-1~deb12u1 |
3.0.14-1~deb12u2 |
47e1a24
to
8062b04
Compare
25bdd92
to
f6b305f
Compare
Co-authored-by: Marek <[email protected]>
…8871) * feat(ci): add Docker Scout vulnerabilities scanning * fix(scout): add missing `environment` command Co-authored-by: Marek <[email protected]> --------- Co-authored-by: Marek <[email protected]>
Motivation
We must avoid publishing new releases without being fully aware of any new vulnerabilities that might be introduced into the image. This ensures we have visibility and can take the necessary actions, such as updating our READMEs, fixing the vulnerabilities, or implementing any other required measures.
Specifications & References
Solution
Release
PR until we can have a better implementation with Theignore-base
,ignore-unchanged
,only-fixed
,only-severities
parameters should add-up together docker/scout-action#56prod
,stage
anddev
environment for future reference https://docs.docker.com/reference/cli/docker/scout/environment/Tests
Follow-up Work
ignore-base
,ignore-unchanged
,only-fixed
,only-severities
parameters should add-up together docker/scout-action#56PR Author's Checklist
PR Reviewer's Checklist