Security Scan Findings #134
Comments
|
Apparently, this is an artifact of using a docker image based on debian:10.2 ARG BASE_IMAGE=debian:10.2(Reference: https://github.com/Senzing/docker-senzing-base/blob/master/Dockerfile) Any fix will be made by using a different version of debian. Perhaps debian:10.3. |
|
Recanting on the last post. The line of interest is https://github.com/Senzing/docker-senzing-base/blob/2aab19d2af2f810b7544ce2893fbac4ae0b0fcca/Dockerfile#L35 Need to see how that can install python 3.7.3 |
|
@ZackHill05 It looks like the current $ docker run -it --entrypoint /bin/bash senzing/senzing-api-server:1.7.10In the docker container. $ python3 --version
Python 3.7.3What do you see in your version of |
|
@docktermj You're right, I'm using 1.7.7 and latest, and both have python3's version as Python 3.7.3. Let me see if I can have an expert in the scan tell me what this means. |
|
@docktermj Is there a way to validate that both Docker images are only using Python3? |
|
@ZackHill05 In the case of the The layering of docker images is:
What is the other Docker image you are referring to? If it's Is that the type of validation you are looking for? Or something else? |
|
@docktermj The other one is senzing/entity-search-web-app. Our scan SME says that this is either a false positive or it could be that both 3.5 and 3.7 Python binaries are in docker image. I think that the docker image has kept previous Python versions (i.e. /usr/lib/python2.7 and /usr/lib/python3.5). Would it be possible to provide an image without those directories, and that would prove that the image is only using Python 3.7.3? |
|
@docktermj Our scan SME responded to my questions and confirmed that there is no need to investigate finding #1 since it has no remediation. For finding #2, he also confirmed that the finding is noting the specific elements of Python2.7 and Python 3.5 that can be exploited. Therefore, simply having it in the Docker image poses a risk (even though the image itself is using Python 3.7.3). Full remediation would be to remove the entire /usr/lib/python2.7 and /usr/lib/python3.5 directories. If we just want to get past the security finding, we could just remove the /usr/lib/python2.7/urllib.py and /usr/lib/python3.5/urllib/parse.py files. Either way, I need a clean scan by March 4 in preparation for a March 9 go-live. Could I get an updated image by March 4, sooner if possible? |
|
@ZackHill05 At the moment, we're a little hesitant to "pull the rug out" of files that are in part of the standard package installations on debian:10.2. (https://github.com/Senzing/docker-senzing-base/blob/2aab19d2af2f810b7544ce2893fbac4ae0b0fcca/Dockerfile#L19-L42) We're not sure if it affects other customers. We'll continue to consider it and will post any thoughts or questions here. But, that shouldn't stop you from getting what you want. For instance, You can make your own dockerfile that removes the parts that fail the scan. Example: FROM senzing/senzing-api-server:1.7.10
# Run as "root" for system installation.
USER root
# Delete unwanted directories
RUN rm -rf /usr/lib/python2.7 \
&& rm -rf /usr/lib/python3.5
# Make non-root container.
USER 1001Then build like this: |
|
@ZackHill05, I'm going over this with a fine tooth comb, as they say. Some things just aren't adding up. For instance, if you bring up a docker run -it --entrypoint /bin/bash --user 0 senzing/senzing-api-server:1.7.10And in the container, run the following: # find / -name urllib.py
# find / -name parse.py
/usr/lib/python3.7/urllib/parse.py
/usr/lib/python3.7/lib2to3/pgen2/parse.pyYou'll see that none of the files mentioned in the scan report exist. |
|
@docktermj inside the container when I issue the "USER root" command I get: bash: USER: command not found when I use the command to get into the docker container the prompt is: I have no name!@35d78277f37f: Please help. |
|
@docktermj I think I found it, let me try to follow the rest of the instructions |
|
Ok, then ignore the following response I was in the middle of crafting. 😄 The To find out who you are running as, use the command: id |
|
@docktermj Can we have a quick web session? I'm having a problem with the build. |
|
@ZackHill05 Sure. Sending an email to coordinate. |
|
@ZackHill05 Is this still an issue? If it's still an issue, please confirm -- we'd like to make sure your issue is solved. If it's no longer an issue, please close the issue. If no response in 7 days, I'll close the issue for you. |
|
Closing. If this is still an issue please request that this be re-opened or open a new issue. |
Our security team found the following issues when reviewing the API server Docker image:
Finding #1
Found in resource /usr/lib/python2.7/urllib.py
https://www.securityfocus.com/bid/107549/info
It doesn't show a fix version, so not sure it can be remediated. Let us know.
Finding#2
Found in resource /usr/lib/python3.5/urllib/parse.py
https://www.securityfocus.com/bid/107400/info
Says the fix version is Python 3.7.3
These findings are the same as the first two findings for the entity-search-web-app Docker image scan (issue #97 in the entity-search-web-app tracking list).
The text was updated successfully, but these errors were encountered: