Fix/SK-1318 | Fixed critical security vulnerability #847 (zlib) (#787)

* Install zlib version 1.3.1 * Run trivy scan when pushing to this branch (for testing) * Upload trivy scan results when pushing to this branch * Check zlib version * Clear trivy cache * Fix clear cache command * Run Trivy scan on image built from this branch * Remove code to clear cache * Added CVE-2023-45853 to trivyignore * Run trivy scan on master * Upgrade packages in runtime stage * Remove warning about case mismatch * Final check zlib version on GitHub * Remove print of zlib version * Restore settings for when Trivy scan is run * Added link to PR
scaleoutsystems · Jan 22, 2025 · 68d946c · 68d946c
1 parent 449e6a3
commit 68d946c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 3 deletions.
diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml
@@ -53,7 +53,7 @@ jobs:
           tags: ${{ steps.meta1.outputs.tags }}
           labels: ${{ steps.meta1.outputs.labels }}
           file: Dockerfile
-      
+
       # if push to master of release, run trivy scan on the image
       - name: Trivy scan
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,9 @@
+# zlib version 1:1.3.dfsg+really1.3.1-1+b1 is installed from Debian Testing (Trixie) repository,
+# but Trivy assumes an older version of zlib because base image uses Debian Bookworm and
+# therefore raises the vulnerability alert CVE-2023-45853.
+# 
+# See this discussion about a similar issue: https://github.com/aquasecurity/trivy/discussions/6059
+# 
+# Ignoring this vulnerability since it is fixed in this PR: https://github.com/scaleoutsystems/fedn/pull/787
+# 
+CVE-2023-45853
diff --git a/Dockerfile b/Dockerfile
@@ -1,12 +1,21 @@
 # Stage 1: Builder
 ARG BASE_IMG=python:3.12-slim
-FROM $BASE_IMG as builder
+FROM $BASE_IMG AS builder
 
 ARG GRPC_HEALTH_PROBE_VERSION=""
 ARG REQUIREMENTS=""
 
 WORKDIR /build
 
+# Temporarily add the Debian Testing repository to install zlib1g 1:1.3.dfsg+really1.3.1-1+b1 (fixed CVE-2023-45853)
+# Both zlib1g and zlib1g-dev are installed in the builder stage.
+RUN echo "deb http://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/testing.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends -t testing zlib1g=1:1.3.dfsg+really1.3.1-1+b1 zlib1g-dev=1:1.3.dfsg+really1.3.1-1+b1 \
+  && rm -rf /etc/apt/sources.list.d/testing.list \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*
+
 # Install build dependencies
 RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends python3-dev gcc wget \
   && rm -rf /var/lib/apt/lists/*
@@ -49,12 +58,19 @@ RUN set -ex \
   # Creare application specific tmp directory, set ENV TMPDIR to /app/tmp
   && mkdir -p /app/tmp \
   && chown -R appuser:appgroup /venv /app \
-  # Upgrade the package index and install security upgrades
+  # Temporarily add the Debian Testing repository to install zlib1g 1:1.3.dfsg+really1.3.1-1+b1 (fixed CVE-2023-45853)
+  && echo "deb http://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/testing.list \
+  && apt-get update \
+  && apt-get install -y --no-install-recommends -t testing zlib1g=1:1.3.dfsg+really1.3.1-1+b1 \
+  && rm -rf /etc/apt/sources.list.d/testing.list \
+  # Update package index and upgrade all installed packages
   && apt-get update \
   && apt-get upgrade -y \
+  # Clean up
   && apt-get autoremove -y \
   && apt-get clean -y \
   && rm -rf /var/lib/apt/lists/*
+
 USER appuser
 
 ENTRYPOINT [ "/venv/bin/fedn" ]