docker image scan reports issues

[githubcdr]

The docker image (cdignam/kodiak:v0.52.0) mentioned in the docs for selfhosting does not have a great reputation when it comes to security.

A trivy scan shows 199 critical issues in the latest release.

cdignam/kodiak:v0.52.0 (debian 10.0)
====================================
Total: 4018 (UNKNOWN: 7, LOW: 1309, MEDIUM: 1360, HIGH: 1143, CRITICAL: 199)

It seems that new versions add more critical cve's, (v0.50.0 had 157).

What is going on here?

[chdsbd]

What tool are you using to generate this report?

If you send me a list of CVEs, I can check if they impact Kodiak.

[githubcdr]

Hi @chdsbd, you can use Trivy for this. This will generate a list of CVE's

[sbdchd]

Running trivy on the latest release I get:

22-07-04T17:59:10.298-0400	INFO	Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)

┌────────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Installed Version │          Fixed Version          │                            Title                             │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ PyJWT (METADATA)   │ CVE-2022-29217 │ HIGH     │ 1.7.1             │ 2.4.0                           │ python-jwt: Key confusion through non-blocklisted public key │
│                    │                │          │                   │                                 │ formats                                                      │
│                    │                │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2022-29217                   │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ httpx (METADATA)   │ CVE-2021-41945 │ CRITICAL │ 0.18.1            │ 0.20.0                          │ Encode OSS httpx < 0.23.0 is affected by improper input   │
│                    │                │          │                   │                                 │ validation ...                                               │
│                    │                │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-41945                   │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ipython (METADATA) │ CVE-2022-21699 │ HIGH     │ 7.27.0            │ 6.0.0rc1, 7.16.3, 7.31.1, 8.0.1 │ IPython (Interactive Python) is a command shell for          │
│                    │                │          │                   │                                 │ interactive comput ...                                       │
│                    │                │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2022-21699                   │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ pip (METADATA)     │ CVE-2021-3572  │ MEDIUM   │ 19.2.1            │ 21.1                            │ python-pip: Incorrect handling of unicode separators in git  │
│                    │                │          │                   │                                 │ references                                                   │
│                    │                │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2021-3572                    │
└────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────────────────┘

• jwt issue was addressed in: CVE-2022-29217 #821
• httpx, the linked site from the tool is hard to read so:
  • the GitHub issue: Some URL can make httpx use URL with wrong info encode/httpx#2184
  • nist site: https://nvd.nist.gov/vuln/detail/CVE-2021-41945
    Kodiak isn't affected due to our usage of the library / not using user provided URLs, but still probably worth upgrading. Only caveat is the last time we tried upgrading we hit some serious bugs that caused a production incident: latest httpcore upgrade breaks merging  #736
• ipython, we're not running that in prod
• pip, also not running that in prod

Of course I'm only looking at the python specific output, if you grab the entire output of that tool you get 15,000 lines of output aka garbage.

I think this tool suffers from a similar problem to npm audit: https://overreacted.io/npm-audit-broken-by-design/

[sbdchd]

Digging into the output a bit more, here's the output in a less verbose form where the key is the package name and the value is the number of CVEs associated with it.

{
  "apt": 3,
  "bash": 1,
  "binutils": 61,
  "binutils-common": 61,
  "binutils-x86-64-linux-gnu": 61,
  "bsdutils": 2,
  "comerr-dev": 3,
  "coreutils": 2,
  "cpp-8": 2,
  "curl": 23,
  "dirmngr": 2,
  "dpkg": 1,
  "dpkg-dev": 1,
  "e2fsprogs": 3,
  "fdisk": 2,
  "file": 1,
  "g++-8": 2,
  "gcc-8": 2,
  "gcc-8-base": 2,
  "gir1.2-rsvg-2.0": 1,
  "git": 16,
  "git-man": 16,
  "gnupg": 2,
  "gnupg-l10n": 2,
  "gnupg-utils": 2,
  "gpg": 2,
  "gpg-agent": 2,
  "gpg-wks-client": 2,
  "gpg-wks-server": 2,
  "gpgconf": 2,
  "gpgsm": 2,
  "gpgv": 2,
  "gzip": 1,
  "icu-devtools": 2,
  "imagemagick": 106,
  "imagemagick-6-common": 106,
  "imagemagick-6.q16": 106,
  "iproute2": 1,
  "krb5-multidev": 5,
  "libapt-pkg5.0": 3,
  "libasan5": 2,
  "libatomic1": 2,
  "libbinutils": 61,
  "libblkid-dev": 2,
  "libblkid1": 2,
  "libbsd0": 1,
  "libc-bin": 22,
  "libc-dev-bin": 22,
  "libc6": 22,
  "libc6-dev": 22,
  "libcairo-gobject2": 5,
  "libcairo-script-interpreter2": 5,
  "libcairo2": 5,
  "libcairo2-dev": 5,
  "libcc1-0": 2,
  "libcom-err2": 3,
  "libcroco3": 3,
  "libcurl3-gnutls": 23,
  "libcurl4": 23,
  "libcurl4-openssl-dev": 23,
  "libdb5.3": 1,
  "libdb5.3-dev": 1,
  "libde265-0": 19,
  "libdjvulibre-dev": 11,
  "libdjvulibre-text": 11,
  "libdjvulibre21": 11,
  "libdpkg-perl": 1,
  "libexif-dev": 10,
  "libexif12": 10,
  "libexpat1": 18,
  "libexpat1-dev": 18,
  "libext2fs2": 3,
  "libfdisk1": 2,
  "libfreetype6": 5,
  "libfreetype6-dev": 5,
  "libfribidi0": 4,
  "libgcc-8-dev": 2,
  "libgcc1": 2,
  "libgcrypt20": 4,
  "libglib2.0-0": 6,
  "libglib2.0-bin": 6,
  "libglib2.0-data": 6,
  "libglib2.0-dev": 6,
  "libglib2.0-dev-bin": 6,
  "libgmp-dev": 1,
  "libgmp10": 1,
  "libgmpxx4ldbl": 1,
  "libgnutls-dane0": 7,
  "libgnutls-openssl27": 7,
  "libgnutls28-dev": 7,
  "libgnutls30": 7,
  "libgnutlsxx28": 7,
  "libgomp1": 2,
  "libgssapi-krb5-2": 5,
  "libgssrpc4": 5,
  "libharfbuzz0b": 1,
  "libheif1": 3,
  "libhogweed4": 2,
  "libicu-dev": 2,
  "libicu63": 2,
  "libidn2-0": 2,
  "libidn2-dev": 2,
  "libitm1": 2,
  "libjbig-dev": 1,
  "libjbig0": 1,
  "libjpeg-dev": 8,
  "libjpeg62-turbo": 8,
  "libjpeg62-turbo-dev": 8,
  "libk5crypto3": 5,
  "libkadm5clnt-mit11": 5,
  "libkadm5srv-mit11": 5,
  "libkdb5-9": 5,
  "libkrb5-3": 5,
  "libkrb5-dev": 5,
  "libkrb5support0": 5,
  "libldap-2.4-2": 22,
  "libldap-common": 22,
  "liblsan0": 2,
  "liblz4-1": 2,
  "liblzma-dev": 1,
  "liblzma5": 1,
  "libmagic-mgc": 1,
  "libmagic1": 1,
  "libmagickcore-6-arch-config": 106,
  "libmagickcore-6-headers": 106,
  "libmagickcore-6.q16-6": 106,
  "libmagickcore-6.q16-6-extra": 106,
  "libmagickcore-6.q16-dev": 106,
  "libmagickcore-dev": 106,
  "libmagickwand-6-headers": 106,
  "libmagickwand-6.q16-6": 106,
  "libmagickwand-6.q16-dev": 106,
  "libmagickwand-dev": 106,
  "libmariadb-dev": 80,
  "libmariadb-dev-compat": 80,
  "libmariadb3": 80,
  "libmount-dev": 2,
  "libmount1": 2,
  "libmpx2": 2,
  "libncurses-dev": 4,
  "libncurses5-dev": 4,
  "libncurses6": 4,
  "libncursesw5-dev": 4,
  "libncursesw6": 4,
  "libnettle6": 2,
  "libnghttp2-14": 3,
  "libopenexr-dev": 40,
  "libopenexr23": 40,
  "libopenjp2-7": 33,
  "libopenjp2-7-dev": 33,
  "libp11-kit-dev": 3,
  "libp11-kit0": 3,
  "libpango-1.0-0": 1,
  "libpangocairo-1.0-0": 1,
  "libpangoft2-1.0-0": 1,
  "libpcre16-3": 6,
  "libpcre2-8-0": 3,
  "libpcre3": 6,
  "libpcre3-dev": 6,
  "libpcre32-3": 6,
  "libpcrecpp0v5": 6,
  "libperl5.28": 5,
  "libpng-dev": 4,
  "libpng16-16": 4,
  "libpq-dev": 17,
  "libpq5": 17,
  "libpython-stdlib": 1,
  "libpython2-stdlib": 1,
  "libpython2.7-minimal": 16,
  "libpython2.7-stdlib": 16,
  "libpython3.7-minimal": 22,
  "libpython3.7-stdlib": 22,
  "libquadmath0": 2,
  "librsvg2-2": 1,
  "librsvg2-common": 1,
  "librsvg2-dev": 1,
  "libsasl2-2": 2,
  "libsasl2-modules-db": 2,
  "libseccomp2": 1,
  "libsepol1": 4,
  "libsepol1-dev": 4,
  "libsmartcols1": 2,
  "libsqlite3-0": 18,
  "libsqlite3-dev": 18,
  "libss2": 3,
  "libssh2-1": 2,
  "libssl-dev": 18,
  "libssl1.1": 18,
  "libstdc++-8-dev": 2,
  "libstdc++6": 2,
  "libsvn1": 5,
  "libsystemd0": 10,
  "libtasn1-6": 1,
  "libtasn1-6-dev": 1,
  "libtcl8.6": 1,
  "libtiff-dev": 33,
  "libtiff5": 33,
  "libtiffxx5": 33,
  "libtinfo6": 4,
  "libtsan0": 2,
  "libubsan1": 2,
  "libudev1": 10,
  "libunbound8": 17,
  "libuuid1": 2,
  "libwebp-dev": 12,
  "libwebp6": 12,
  "libwebpdemux2": 12,
  "libwebpmux3": 12,
  "libwmf-dev": 4,
  "libwmf0.2-7": 4,
  "libx11-6": 3,
  "libx11-data": 3,
  "libx11-dev": 3,
  "libxml2": 16,
  "libxml2-dev": 16,
  "libxslt1-dev": 5,
  "libxslt1.1": 5,
  "libxtables12": 2,
  "libzstd1": 2,
  "linux-libc-dev": 594,
  "login": 4,
  "m4": 2,
  "mariadb-common": 80,
  "mount": 2,
  "ncurses-base": 4,
  "ncurses-bin": 4,
  "nettle-dev": 2,
  "openssh-client": 13,
  "openssl": 18,
  "passwd": 4,
  "patch": 7,
  "perl": 5,
  "perl-base": 5,
  "perl-modules-5.28": 5,
  "python": 1,
  "python-minimal": 1,
  "python2": 1,
  "python2-minimal": 1,
  "python2.7": 16,
  "python2.7-minimal": 16,
  "python3.7": 22,
  "python3.7-minimal": 22,
  "subversion": 5,
  "supervisor": 1,
  "tar": 3,
  "tcl8.6": 1,
  "tcl8.6-dev": 1,
  "unzip": 4,
  "util-linux": 2,
  "uuid-dev": 2,
  "wget": 1,
  "xz-utils": 1,
  "zlib1g": 1,
  "zlib1g-dev": 1,
  "PyJWT": 1,
  "httpx": 1,
  "ipython": 1,
  "pip": 1
}

[githubcdr]

Hi @sbdchd,

I got a different output using this version.

 trivy --version
Version: 0.28.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2022-07-05 06:06:05.656161198 +0000 UTC
  NextUpdate: 2022-07-05 12:06:05.656160898 +0000 UTC
  DownloadedAt: 2022-07-05 09:51:31.985153999 +0000 UTC

$ trivy i cdignam/kodiak:v0.52.0 

cdignam/kodiak:v0.52.0 (debian 10.0)

Total: 4082 (UNKNOWN: 57, LOW: 1283, MEDIUM: 1357, HIGH: 1183, CRITICAL: 202)

[etiennetremel]

Could be a first improvement: #796