Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azlinux: Make sure we install /etc/os-release #342

Merged
merged 1 commit into from
Aug 2, 2024
Merged

azlinux: Make sure we install /etc/os-release #342

merged 1 commit into from
Aug 2, 2024
+40 −2

Conversation

cpuguy83
Copy link
Member

@cpuguy83 cpuguy83 commented Aug 1, 2024
edited
Loading

This is needed for scanners and other things and is just generally good to have in the image.

Before, scanning the output of the runc-azlinux3-container target yields the following: (note that it can't detect the OS)

 DOCKER_HOST=unix:///Users/cpuguy83/.docker/run/docker.sock trivy image runc:azlinux3
2024-08-01T15:59:08-07:00	INFO	[vuln] Vulnerability scanning is enabled
2024-08-01T15:59:08-07:00	INFO	[secret] Secret scanning is enabled
2024-08-01T15:59:08-07:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-01T15:59:08-07:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-01T15:59:08-07:00	INFO	Detected OS	family="none" version=""
2024-08-01T15:59:08-07:00	WARN	Unsupported os	family="none"
2024-08-01T15:59:08-07:00	INFO	Number of language-specific files	num=1
2024-08-01T15:59:08-07:00	INFO	[gobinary] Detecting vulnerabilities...
2024-08-01T15:59:08-07:00	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.54/docs/scanner/vulnerability#severity-selection for details.

usr/bin/runc (gobinary)

Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬─────────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Status │ Installed Version │  Fixed Version  │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │ MEDIUM   │ fixed  │ v0.2.3            │ 0.2.4           │ SecureJoin: on windows, paths outside of the rootfs could be │
│                                       │                     │          │        │                   │                 │ inadvertently produced...                                    │
│                                       │                     │          │        │                   │                 │ https:/advisories/GHSA-6xv5-86q9-7xr8            │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2023-39325      │ HIGH     │        │ v0.8.0            │ 0.17.0          │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                                       │                     │          │        │                   │                 │ excessive work (CVE-2023-44487)                              │
│                                       │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                       ├─────────────────────┼──────────┤        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-3978       │ MEDIUM   │        │                   │ 0.13.0          │ golang.org/x/net/html: Cross site scripting                  │
│                                       │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                       ├─────────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │          │        │                   │ 0.17.0          │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                                       │                     │          │        │                   │                 │ to a DDoS attack...                                          │
│                                       │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
│                                       ├─────────────────────┤          │        │                   ├─────────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-45288      │          │        │                   │ 0.23.0          │ golang: net/http, x/net/http2: unlimited number of           │
│                                       │                     │          │        │                   │                 │ CONTINUATION frames causes DoS                               │
│                                       │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├───────────────────────────────────────┼─────────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf            │ CVE-2024-24786      │          │        │ v1.27.1           │ 1.33.0          │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                                       │                     │          │        │                   │                 │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                                       │                     │          │        │                   │                 │ certain forms of...                                          │
│                                       │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
├───────────────────────────────────────┼─────────────────────┤          │        ├───────────────────┼─────────────────┼──────────────────────────────────────────────────────────────┤
│ stdlib                                │ CVE-2024-24791      │          │        │ 1.22.4            │ 1.21.12, 1.22.5 │ net/http: Denial of service due to improper 100-continue     │
│                                       │                     │          │        │                   │                 │ handling in net/http                                         │
│                                       │                     │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24791                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴─────────────────┴──────────────────────────────────────────────────────────────┘

With this change:

❯ DOCKER_HOST=unix:///Users/cpuguy83/.docker/run/docker.sock trivy image runc:azlinux3
2024-08-01T16:01:04-07:00	INFO	[vuln] Vulnerability scanning is enabled
2024-08-01T16:01:04-07:00	INFO	[secret] Secret scanning is enabled
2024-08-01T16:01:04-07:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-01T16:01:04-07:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-01T16:01:04-07:00	INFO	Detected OS	family="azurelinux" version="3.0"
2024-08-01T16:01:04-07:00	INFO	[azurelinux] Detecting vulnerabilities...	os_version="3.0" pkg_num=5
2024-08-01T16:01:04-07:00	INFO	Number of language-specific files	num=1
2024-08-01T16:01:04-07:00	INFO	[gobinary] Detecting vulnerabilities...

runc:azlinux3 (azurelinux 3.0)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/runc (gobinary)

Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│                Library                │    Vulnerability    │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├───────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/cyphar/filepath-securejoin │ GHSA-6xv5-86q9-7xr8 │ MEDIUM   │ fixed  │ v0.2.3            │ 0.2.4         │ SecureJoin: on windows, paths outside of the rootfs could be │
│                                       │                     │          │        │                   │               │ inadvertently produced...                                    │
│                                       │                     │          │        │                   │               │ https:/advisories/GHSA-6xv5-86q9-7xr8            │
├───────────────────────────────────────┼─────────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                      │ CVE-2023-39325      │ HIGH     │        │ v0.8.0            │ 0.17.0        │ golang: net/http, x/net/http2: rapid stream resets can cause │
│                                       │                     │          │        │                   │               │ excessive work (CVE-2023-44487)                              │
│                                       │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-39325                   │
│                                       ├─────────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-3978       │ MEDIUM   │        │                   │ 0.13.0        │ golang.org/x/net/html: Cross site scripting                  │
│                                       │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3978                    │
│                                       ├─────────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-44487      │          │        │                   │ 0.17.0        │ HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable   │
│                                       │                     │          │        │                   │               │ to a DDoS attack...                                          │
│                                       │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-44487                   │
│                                       ├─────────────────────┤          │        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                                       │ CVE-2023-45288      │          │        │                   │ 0.23.0        │ golang: net/http, x/net/http2: unlimited number of           │
│                                       │                     │          │        │                   │               │ CONTINUATION frames causes DoS                               │
│                                       │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45288                   │
├───────────────────────────────────────┼─────────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf            │ CVE-2024-24786      │          │        │ v1.27.1           │ 1.33.0        │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│                                       │                     │          │        │                   │               │ infinite loop in protojson.Unmarshal when unmarshaling       │
│                                       │                     │          │        │                   │               │ certain forms of...                                          │
│                                       │                     │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-24786                   │
└───────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@cpuguy83
azlinux: Make sure we install /etc/os-release
9a22ccf 
This is needed for scanners and other things and is just generally good
to have in the image.

Signed-off-by: Brian Goff <[email protected]>
@cpuguy83 cpuguy83 requested a review from a team as a code owner August 1, 2024 23:02
@cpuguy83 cpuguy83 mentioned this pull request Aug 1, 2024
Open
1 task
@cpuguy83 cpuguy83 enabled auto-merge (rebase) August 1, 2024 23:10
sozercan
sozercan reviewed Aug 1, 2024
View reviewed changes
test/azlinux_test.go
CheckOutput: dalec.CheckOutput{
Contains: []string{
fmt.Sprintf("ID=%s\n", testConfig.Release.ID),
// Note: the value of `VERSION_ID` needs to be quoted!
Copy link
Member

@sozercan sozercan Aug 1, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpuguy83 is this WIP?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather get it in, I filed a bug.

sozercan
sozercan approved these changes Aug 2, 2024
View reviewed changes
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cpuguy83 cpuguy83 merged commit f46a139 into Azure:main Aug 2, 2024
9 checks passed
@cpuguy83 cpuguy83 deleted the add_osrelease branch August 2, 2024 00:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sozercan sozercan sozercan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cpuguy83 @sozercan