Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The current image has vulnerabilities, so can we release new one with newer alpine updates #216

Open
1 task
rambangaru opened this issue Dec 3, 2024 · 4 comments
Open
1 task

The current image has vulnerabilities, so can we release new one with newer alpine updates #216

rambangaru opened this issue Dec 3, 2024 · 4 comments
Labels
smartbear-supported SmartBear engineering team will support this issue. See https://docs.pact.io/help/smartbear

Comments

@rambangaru
Copy link

Pre issue-raising checklist

I have already (please mark the applicable with an x):

  • [ X ] Confirmed this is the right place to raise the issue - only issues related to the Dockerization of the Pact Broker should be raised here. Issues related to the Pact Broker application itself should be raised in the Pact Broker project.
  • [ X ] Upgraded to the latest Pact Broker Docker image OR
  • [ X ] Checked the CHANGELOG to see if the issue I am about to raise has been fixed
  • Read the Troubleshooting page

Software versions

  • pact-broker docker version: 2.112.0
  • OS: ANY
  • pact broker client details: ANY

Expected behaviour

Image with latest OS updates and no vulnerabilities

Actual behaviour

Image is with known vulnerabilities

Steps to reproduce

Run any kind of security scan to identify the vulnerabiliites

Relevent log files
@YOU54F YOU54F mentioned this issue Dec 6, 2024
Merged
@YOU54F
Copy link
Member

YOU54F commented Dec 6, 2024

Run any kind of security scan to identify the vulnerabiliites

Please note it isn't fair on maintainers of open source software, for a very vague report of vulnerabilities. We would appreciate at minimum the tool you have used, and the vulnerability you believe is present, otherwise we would suggest to look at our own trivy scan. If the particular vulnerability isn't caught by trivy, then that would be an issue for that project and they would also require sufficient actionable information.

What specific vulnerabilities are you referring to?

We do run an audit on a cron job

Which recently started failure due to a CVE in Sinatra

2024-12-05T04:53:56Z	INFO	Detected OS	family="alpine" version="3.20.3"
2024-12-05T04:53:56Z	INFO	[alpine] Detecting vulnerabilities...	os_version="3.20" repository="3.20" pkg_num=77
2024-12-05T04:53:56Z	INFO	Number of language-specific files	num=1
2024-12-05T04:53:56Z	INFO	[bundler] Detecting vulnerabilities...

fcbe10f906a8 (alpine 3.20.3)
============================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


pact_broker/Gemfile.lock (bundler)
==================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                        Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────┤
│ sinatra │ CVE-2024-21510 │ MEDIUM   │ fixed  │ 3.2.0             │ >= 4.1.0      │ sinatra: Open Redirect Vulnerability in Sinatra via │
│         │                │          │        │                   │               │ X-Forwarded-Host Header                             │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21510          │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────┘

Linked CVE:- https://avd.aquasec.com/nvd/2024/cve-2024-21510/

Unfortunately resolving that isn't trivial for us in the Pact Broker, as it requires Sinatra 4, requires Rack 3, which webmachine doesn't yet support of which the Pact Broker depends on.

The SmartBear PactFlow team have recently hired a new Ruby Senior Engineer who will be allocating time towards our open source projects including the Pact Broker, so this particular issue is on his radar.

@YOU54F YOU54F mentioned this issue Dec 6, 2024
Open
@YOU54F
Copy link
Member

YOU54F commented Dec 6, 2024

Our current release process is blocked due the the above CVE.

Tracking issue raised in the pact_broker project.

Have proposed skipping the CVE in this project which consumes the pact_broker in order to allow updates outside Sinatra to still proceed, as the current released version is still in the same vulnerable state as the image we wish to deploy, in relation to the CVE.

(It adds no value blocking the deployment of any changes in this project, based on the audit, unless we were adding new vulnerable code, that wasn't present in the deployed image - which isn't the case in this instance)

@YOU54F
Copy link
Member

YOU54F commented Dec 6, 2024

New image going out now which will contain

@mefellows mefellows added the smartbear-supported SmartBear engineering team will support this issue. See https://docs.pact.io/help/smartbear label Dec 10, 2024
@github-actions GitHub Actions
Copy link

🤖 Great news! We've labeled this issue as smartbear-supported and created a tracking ticket in PactFlow's Jira (PACT-2961). We'll keep work public and post updates here. Meanwhile, feel free to check out our docs. Thanks for your patience!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
smartbear-supported SmartBear engineering team will support this issue. See https://docs.pact.io/help/smartbear
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mefellows @YOU54F @rambangaru