Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multible Findings with Trivy Scanner #925

Closed
ksvenee opened this issue Jun 27, 2024 · 15 comments
Closed

Multible Findings with Trivy Scanner #925

ksvenee opened this issue Jun 27, 2024 · 15 comments

Comments

@ksvenee
Copy link

ksvenee commented Jun 27, 2024

Summary

Details

  1. sudo docker pull aquasec/trivy
  2. sudo docker pull ltbproject/self-service-password
  3. sudo docker run --rm --user root --network host -v /tmp/:/.cache -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ltbproject/self-service-password

Full Report

2024-06-27_2303result.json

@coudot coudot added this to the Backlog milestone Jun 28, 2024
@coudot
Copy link
Member

coudot commented Jun 28, 2024

Throwing a scanner report is not really helpful.

If you find a security issue that is exploitable for Self Service Password, please send a mail to [email protected]

@Skaronator
Copy link

While I agree that automated security scanning has limited utility and enforcing a zero CVE policy is, in my opinion, misguided, the sheer number of CVEs found in the container image is absurdly high. The breakdown shows 6 Critical, 178 High, 1124 Medium, 634 Low, and 32 Unknown vulnerabilities.

Furthermore, the container image seems quite bloated, measuring 380.53 MB for a PHP application. Switching to Alpine Linux would almost certainly eliminate 95% of the identified CVEs and reduce the container image size by at least 50%.

@coudot
Copy link
Member

coudot commented Jul 3, 2024

I agree, contribution is welcome!

@Skaronator
Copy link

We're looking internally if we can do a contribution :)

@coudot
Copy link
Member

coudot commented Jul 3, 2024

As @davidcoutadeur noticed, maybe using more recent dependencies in the docker would improve a lot the security. See #935

@coudot
Copy link
Member

coudot commented Jul 3, 2024

You can review and contribute to #932

@LaurinStreng
Copy link

@coudot i have changed it locally (from main) to alpine don't have the rights to change the files in #932
Could you change the permission, so I can edit it? I also need to adapt my changes to the code in #932, but it should be done tomorrow if I have permission to change it :)

@findlayfeng
Copy link
Contributor

我可以提供 以alpine 为基础的镜像,但是我认为因该保留旧的镜像,因为不同的操作系统对一些细节的处理并不一致,直接切换可能会导致一些环境的注入内容失效,比如注入的自签名证书的ca

I can provide an image based on alpine, but I think the old image should be kept because different operating systems handle some details differently. Direct switching may cause the injected content of some environments to fail, such as the ca of the injected self-signed certificate.

@coudot
Copy link
Member

coudot commented Jul 4, 2024

Could you change the permission, so I can edit it?

I can't do that. You can propose another PR.

We currently use as base image php:8.2-apache which seem a good choice for a PHP application. I agree to increase the PHP version of course. I don't think this base image contain vulnerabilities but if so, they should be reported to the maintainers of this image.

@Skaronator
Copy link

@coudot We've submitted a draft pull request (#937) that switches the base container image from Debian to Alpine. This change addresses the majority, if not all, of the identified security concerns by trivy.

Our team will conduct additional internal testing to ensure full functionality before finalizing the pull request.

@findlayfeng
Copy link
Contributor

You can review and contribute to #932

我提供了 以Alpine为基础的 镜像,
因为 php 没有提供 alpine 下的 apache 镜像,这边使用了 httpd(apache) 的 alpine 镜像为基础,编译了php(脚本参考了https://github.com/docker-library/php/blob/52062af5056d0cd91fa5ded64fad8f9c82847b49/8.3/alpine3.20/cli/Dockerfile )

I provided an image based on Alpine.
Since php does not provide an apache image under alpine, I used the alpine image of httpd (apache) as the basis and compiled php (the script refers to https://github.com/docker-library/php/blob/52062af5056d0cd91fa5ded64fad8f9c82847b49/8.3/alpine3.20/cli/Dockerfile )

@LaurinStreng
Copy link

@coudot We have finalized our PR and Tested it (#937)

@coudot coudot modified the milestones: Backlog, 1.7.0 Jul 9, 2024
@coudot
Copy link
Member

coudot commented Jul 9, 2024

Thanks we'll have a look for next major version

@davidcoutadeur
Copy link

Hello, we are now providing a Dockerfile for Alpine image.

We have also improved the existing Docker image based on debian.

See here for more info: #947

Both images should reduce drastically the vulnerability detection, so stay tuned for 1.7.0 release.

I close the issue, but if you detect any other vulnerability, please inform us.

@Skaronator
Copy link

Awesome! Thank you and everyone who helped to make this possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants