Base image vulnerabilities #513
Comments
|
Hi @rgidda, thanks for reporting! And last one, do you have a recommended base image that you use, it would be great if you want to help us with this and contribute to Open Source 🥇 |
|
Hi @obsd , We are using blackduck enterprise edition , it will scan all attributes of the image including base images. Please upgrade you base images to latest versions and replace/update the packages which got critical vulnerabilities. You can use below scanning tool locally. |
|
Hi @rgidda, thanks for the details and the link :) |
|
hi @obsd I have made an attempt at this. All debian vulnerabilities are resolved in these changes, however there seems to be an issue with OPA running. In this commit there are docker compose logs to see this sort of log running every couple of seconds: opal_client.engine.runner �[0m|�[1m INFO | Running policy engine inline: opa run --server --addr=:8181 --authentication=off --authorization=off --log-level=info�[0m any advice on how to debug? |
|
Hi @devine12 |
|
Hi @devine12 , there can be many reasons why OPA restarts in alpine linux. We did use alpine before for OPAL and moved away towards the official python docker image due to build-time issues, stability issues and DNS issues. It does look like they finally fixed it in alpine 3.18 - we'll have to check. @obsd for now i suggest sticking with the least vulnerable official python base image and patch it accordingly until we can field-test alpine stability. |
|
Cool @devine12, is it working now with the new image? |
|
Hi @obsd - Yes it is working now. For local test I made separate branch (devine12@17e0518) with:
I have raised PR (https://github.com/permitio/opal/pull/534/files) and reached out in slack - any other guidance on how to move forward |
|
Hi @devine12 , thank you very much, your PR is much appreciated! |
Hi Team,
Our scanning tools ( blackduck ) are reporting base image vulnerabilities for the OPAL version 7.2.2 (we found 7 critical and 7 high ), these issues are not related to OPAL source code. Please address these issue as soon as possible to make OPAL as vulnerability free.
Example :
debian: libzstd1/1.4.8+dfsg-2.1/amd64 - BDSA-2019-5223
Zstandard command-line utility is vulnerable to information disclosure via improper default permissions on output files. Correct file permissions are only set at completion time which could allow a local attacker to read or write to a file during compression or decompression.
Note: The initial fix for this vulnerability was incomplete and a further fix was required. This was disclosed as CVE-2021-24032(BDSA-2021-2294).
Bash5.1
debian: bash/5.1-2+deb11u1/amd64
Vulnerabilities 1
Berkeley DB5.3.28
debian: libdb5.3/5.3.28+dfsg1-0.8/amd64
Vulnerabilities 19224
GNU C Library2.31
debian: libc6/2.31-1/amd64
Vulnerabilities36102
GNU C Library2.31
debian: libc6/2.31-13+deb11u7/amd64
Vulnerabilities 482
GNU C Library2.31
debian: libc-bin/2.31-13+deb11u7/amd64
Vulnerabilities 482
GNU tar1.34
debian: tar/1.34+dfsg-1/amd64
Vulnerabilities 1
GnuPG2.2.27
debian: gpgv/2.2.27-2+deb11u2/amd64
Vulnerabilities1 1
GnuTLS3.7.1
debian: libgnutls30/3.7.1-5+deb11u3/amd64
Vulnerabilities 2
Libtasn14.16.0
debian: libtasn1-6/4.16.0-2+deb11u1/amd64
Vulnerabilities
Linux-Pamv1.4.0
debian: libpam-runtime/1.4.0-9+deb11u1/all
Vulnerabilities1
Linux-Pamv1.4.0
debian: libpam0g/1.4.0-9+deb11u1/amd64
Vulnerabilities1
Linux-Pamv1.4.0
debian: libpam-modules-bin/1.4.0-9+deb11u1/amd64
Vulnerabilities1
Linux-Pamv1.4.0
debian: libpam-modules/1.4.0-9+deb11u1/amd64
Vulnerabilities1
PCRE8.39
debian: libpcre3/2:8.39-13/amd64
Vulnerabilities 121
PCRE210.36
debian: libpcre2-8-0/10.36-2+deb11u1/amd64
Vulnerabilities 1
Procpsv3.3.17
opensuse: procps-lang/3.3.17-5.1/noarch
Vulnerabilities 1
Procpsv3.3.17
debian: libprocps-dev/2:3.3.17-5/arm64
Vulnerabilities 1
Procpsv3.3.17
opensuse: procps-devel/3.3.17-14.2/i586
Vulnerabilities 1
Procpsv3.3.17
debian: procps/2:3.3.17-5/amd64
Vulnerabilities 1
Procpsv3.3.17
rocky: procps-ng-i18n/3.3.17-5.el9_0/noarch
Vulnerabilities 1
Procpsv3.3.17
opensuse: procps/3.3.17-5.2/x86_64
Vulnerabilities 1
Shadow Tool Suite4.8.1
debian: passwd/1:4.8.1-1/amd64
Vulnerabilities 2
Shadow Tool Suite4.8.1
debian: login/1:4.8.1-1/amd64
Vulnerabilities 2
XZ Utils5.2.5
debian: liblzma5/5.2.5-2.1~deb11u1/amd64
Vulnerabilities 11
e2fsprogs1.46.2
debian: libcom-err2/1.46.2-2/amd64
Vulnerabilities 1
gzip1.10
debian: gzip/1.10-4+deb11u1/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libk5crypto3/1.18.3-6+deb11u4/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libkrb5support0/1.18.3-6+deb11u4/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libkrb5-3/1.18.3-6+deb11u4/amd64
Vulnerabilities
krb5/krb51.18.3
debian: libgssapi-krb5-2/1.18.3-6+deb11u4/amd64
Vulnerabilities
libgcrypt1.8.7
debian: libgcrypt20/1.8.7-6/amd64
Vulnerabilities 1
libtirpc1.3.1
debian: libtirpc3/1.3.1-1+deb11u1/amd64
Vulnerabilities
libtirpc1.3.1
debian: libtirpc-common/1.3.1-1+deb11u1/all
Vulnerabilities
lz4v1.9.3
debian: liblz4-1/1.9.3-2/amd64
Vulnerabilities
systemd247.3
debian: libudev1/247.3-7+deb11u4/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libblkid1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: util-linux/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libmount1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: mount/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libuuid1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
util-linux2.36.1
debian: libsmartcols1/2.36.1-8+deb11u1/amd64
Vulnerabilities 1
zlib1.2.11
debian: zlib1g/1:1.2.11.dfsg-2+deb11u2/amd64
Vulnerabilities1
zstd1.4.8
debian: libzstd1/1.4.8+dfsg-2.1/amd64
Vulnerabilities 2
The text was updated successfully, but these errors were encountered: