Multible Findings with Trivy Scanner

[ksvenee]

Summary

• Total: 1300 (UNKNOWN: 9, LOW: 316, MEDIUM: 872, HIGH: 100, CRITICAL: 3)
• e.g. CVE-2023-6879
• e.g. CVE-2023-45853

Details

1. sudo docker pull aquasec/trivy
2. sudo docker pull ltbproject/self-service-password
3. sudo docker run --rm --user root --network host -v /tmp/:/.cache -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ltbproject/self-service-password

Full Report

2024-06-27_2303result.json

[coudot]

Throwing a scanner report is not really helpful.

If you find a security issue that is exploitable for Self Service Password, please send a mail to [email protected]

[Skaronator]

While I agree that automated security scanning has limited utility and enforcing a zero CVE policy is, in my opinion, misguided, the sheer number of CVEs found in the container image is absurdly high. The breakdown shows 6 Critical, 178 High, 1124 Medium, 634 Low, and 32 Unknown vulnerabilities.

Furthermore, the container image seems quite bloated, measuring 380.53 MB for a PHP application. Switching to Alpine Linux would almost certainly eliminate 95% of the identified CVEs and reduce the container image size by at least 50%.

[coudot]

I agree, contribution is welcome!

[Skaronator]

We're looking internally if we can do a contribution :)

[coudot]

As @davidcoutadeur noticed, maybe using more recent dependencies in the docker would improve a lot the security. See #935

[coudot]

You can review and contribute to #932

[LaurinStreng]

@coudot i have changed it locally (from main) to alpine don't have the rights to change the files in #932
Could you change the permission, so I can edit it? I also need to adapt my changes to the code in #932, but it should be done tomorrow if I have permission to change it :)

[findlayfeng]

我可以提供 以alpine 为基础的镜像，但是我认为因该保留旧的镜像，因为不同的操作系统对一些细节的处理并不一致，直接切换可能会导致一些环境的注入内容失效，比如注入的自签名证书的ca

I can provide an image based on alpine, but I think the old image should be kept because different operating systems handle some details differently. Direct switching may cause the injected content of some environments to fail, such as the ca of the injected self-signed certificate.

[coudot]

Could you change the permission, so I can edit it?

I can't do that. You can propose another PR.

We currently use as base image php:8.2-apache which seem a good choice for a PHP application. I agree to increase the PHP version of course. I don't think this base image contain vulnerabilities but if so, they should be reported to the maintainers of this image.

[Skaronator]

@coudot We've submitted a draft pull request (#937) that switches the base container image from Debian to Alpine. This change addresses the majority, if not all, of the identified security concerns by trivy.

Our team will conduct additional internal testing to ensure full functionality before finalizing the pull request.

[findlayfeng]

You can review and contribute to #932

我提供了 以Alpine为基础的 镜像，
因为 php 没有提供 alpine 下的 apache 镜像，这边使用了 httpd(apache) 的 alpine 镜像为基础，编译了php(脚本参考了https://github.com/docker-library/php/blob/52062af5056d0cd91fa5ded64fad8f9c82847b49/8.3/alpine3.20/cli/Dockerfile )

I provided an image based on Alpine.
Since php does not provide an apache image under alpine, I used the alpine image of httpd (apache) as the basis and compiled php (the script refers to https://github.com/docker-library/php/blob/52062af5056d0cd91fa5ded64fad8f9c82847b49/8.3/alpine3.20/cli/Dockerfile )

[LaurinStreng]

@coudot We have finalized our PR and Tested it (#937)

[coudot]

Thanks we'll have a look for next major version

[davidcoutadeur]

Hello, we are now providing a Dockerfile for Alpine image.

We have also improved the existing Docker image based on debian.

See here for more info: #947

Both images should reduce drastically the vulnerability detection, so stay tuned for 1.7.0 release.

I close the issue, but if you detect any other vulnerability, please inform us.

[Skaronator]

Awesome! Thank you and everyone who helped to make this possible.