From 68d946cd8ada6cc6a4864f45c36fcd94358f3ce8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20=C3=85strand?= <112588563+benjaminastrand@users.noreply.github.com> Date: Wed, 22 Jan 2025 12:37:35 +0100 Subject: [PATCH] Fix/SK-1318 | Fixed critical security vulnerability #847 (zlib) (#787) * Install zlib version 1.3.1 * Run trivy scan when pushing to this branch (for testing) * Upload trivy scan results when pushing to this branch * Check zlib version * Clear trivy cache * Fix clear cache command * Run Trivy scan on image built from this branch * Remove code to clear cache * Added CVE-2023-45853 to trivyignore * Run trivy scan on master * Upgrade packages in runtime stage * Remove warning about case mismatch * Final check zlib version on GitHub * Remove print of zlib version * Restore settings for when Trivy scan is run * Added link to PR --- .github/workflows/build-containers.yaml | 2 +- .trivyignore | 9 +++++++++ Dockerfile | 20 ++++++++++++++++++-- 3 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 .trivyignore diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml index 6c33e90c8..9dc27fb65 100644 --- a/.github/workflows/build-containers.yaml +++ b/.github/workflows/build-containers.yaml @@ -53,7 +53,7 @@ jobs: tags: ${{ steps.meta1.outputs.tags }} labels: ${{ steps.meta1.outputs.labels }} file: Dockerfile - + # if push to master of release, run trivy scan on the image - name: Trivy scan if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 000000000..7b99c9385 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,9 @@ +# zlib version 1:1.3.dfsg+really1.3.1-1+b1 is installed from Debian Testing (Trixie) repository, +# but Trivy assumes an older version of zlib because base image uses Debian Bookworm and +# therefore raises the vulnerability alert CVE-2023-45853. +# +# See this discussion about a similar issue: https://github.com/aquasecurity/trivy/discussions/6059 +# +# Ignoring this vulnerability since it is fixed in this PR: https://github.com/scaleoutsystems/fedn/pull/787 +# +CVE-2023-45853 \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 169fc5097..348beb747 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,21 @@ # Stage 1: Builder ARG BASE_IMG=python:3.12-slim -FROM $BASE_IMG as builder +FROM $BASE_IMG AS builder ARG GRPC_HEALTH_PROBE_VERSION="" ARG REQUIREMENTS="" WORKDIR /build +# Temporarily add the Debian Testing repository to install zlib1g 1:1.3.dfsg+really1.3.1-1+b1 (fixed CVE-2023-45853) +# Both zlib1g and zlib1g-dev are installed in the builder stage. +RUN echo "deb http://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/testing.list \ + && apt-get update \ + && apt-get install -y --no-install-recommends -t testing zlib1g=1:1.3.dfsg+really1.3.1-1+b1 zlib1g-dev=1:1.3.dfsg+really1.3.1-1+b1 \ + && rm -rf /etc/apt/sources.list.d/testing.list \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + # Install build dependencies RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends python3-dev gcc wget \ && rm -rf /var/lib/apt/lists/* @@ -49,12 +58,19 @@ RUN set -ex \ # Creare application specific tmp directory, set ENV TMPDIR to /app/tmp && mkdir -p /app/tmp \ && chown -R appuser:appgroup /venv /app \ - # Upgrade the package index and install security upgrades + # Temporarily add the Debian Testing repository to install zlib1g 1:1.3.dfsg+really1.3.1-1+b1 (fixed CVE-2023-45853) + && echo "deb http://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/testing.list \ + && apt-get update \ + && apt-get install -y --no-install-recommends -t testing zlib1g=1:1.3.dfsg+really1.3.1-1+b1 \ + && rm -rf /etc/apt/sources.list.d/testing.list \ + # Update package index and upgrade all installed packages && apt-get update \ && apt-get upgrade -y \ + # Clean up && apt-get autoremove -y \ && apt-get clean -y \ && rm -rf /var/lib/apt/lists/* + USER appuser ENTRYPOINT [ "/venv/bin/fedn" ]