-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gcp (and snyk) container scan output #2883
Comments
Hi @robmonct. Thanks for the ticket. We upgraded many golang and docker dependencies recently but haven't done an official release. We used to dependabot to keep up with new versions and have recently switched to renovatebot. I don't have access to GCP but could you scan the latest Related issues Alpine images https://github.com/orgs/runatlantis/packages/container/atlantis
We recently also added debian support so feel free to scan those. Please feel free to propose changes to resolve some of these issues. Could you also go over some of these vulnerabilities? Some may not affect atlantis For example, Critical: Line 3 in de953fe
Line 23 in de953fe
|
That is quite bizarre. If you pay for support from gcp, I would contact them about it. Once you do, please follow up here so we know what the potential next steps are to improve the project. |
If I'm not wrong, the problem is that you are building the new versions with this base:
Then you are using as a base the image: ghcr.io/runatlantis/atlantis-base:2022.12.12-alpine which contains most of the vulnerabilities included in the dev and prerelease version. Is that possible? |
You are correct that the However, the critical vulnerabilities (and other vulnerabilities) that you posted, many of them affect neither the latest code base (see I pointed the references to the code where the latest golang version is used. Have you
|
I don't understand neither why scan is showing them then. |
I'm going to close this for now to avoid alarming anyone until there is a CVE that's affecting the current release. Once you have more information, please respond and if there are action items, we can reopen the issue. |
Scanning the current release with Snyk, this is the output just in case is useful: target ghcr.io/runatlantis/atlantis:dev (2 issues)docker scan ghcr.io/runatlantis/atlantis:dev
Testing ghcr.io/runatlantis/atlantis:dev...
✗ Low severity vulnerability found in curl/libcurl
Description: CVE-2022-43551
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-CURL-3179543
Introduced through: curl/libcurl@7.86.0-r1, curl/curl@7.86.0-r1, git/git@2.38.2-r0
From: curl/libcurl@7.86.0-r1
From: curl/curl@7.86.0-r1 > curl/libcurl@7.86.0-r1
From: git/git@2.38.2-r0 > curl/libcurl@7.86.0-r1
and 1 more...
Fixed in: 7.87.0-r0
✗ Low severity vulnerability found in curl/libcurl
Description: CVE-2022-43552
Info: https://security.snyk.io/vuln/SNYK-ALPINE317-CURL-3179544
Introduced through: curl/libcurl@7.86.0-r1, curl/curl@7.86.0-r1, git/git@2.38.2-r0
From: curl/libcurl@7.86.0-r1
From: curl/curl@7.86.0-r1 > curl/libcurl@7.86.0-r1
From: git/git@2.38.2-r0 > curl/libcurl@7.86.0-r1
and 1 more...
Fixed in: 7.87.0-r0
Organization: robmonct
Package manager: apk
Project name: docker-image|ghcr.io/runatlantis/atlantis
Docker image: ghcr.io/runatlantis/atlantis:dev
Platform: linux/arm64
Licenses: enabled
Tested 44 dependencies for known issues, found 2 issues.
------------------------------------------------------- target /usr/local/bin/atlantis (0 issues)
target /usr/local/bin/cft/versions/0.37.0/conftest (0 issues)
target /usr/local/bin/tf/versions/1.0.11/terraform (14 issues)
target /usr/local/bin/tf/versions/1.1.9/terraform (12 issues)
target /usr/local/bin/tf/versions/1.2.9/terraform (5 issues)
target /usr/local/bin/tf/versions/1.3.6/terraform (2 issues)
target github.com/tianon/gosu (0 issues)
target /usr/bin/git-lfs (0 issues)
|
Some of these vulnerabilities are a bit odd again or seem to be "stale". It's possible that your local Line 47 in e0f92e7
These seems to be flagged appropriately. I did not do a full search. I only spot checked. Line 123 in e0f92e7
Line 122 in e0f92e7
Line 48 in e0f92e7
The YAML dependency is an open issue at the moment since it's difficult to get 1:1 results, at the moment, with the v2. |
My dev image is yesterday dev image. I think the problem is related with this: https://stackoverflow.com/questions/69825533/why-does-go-sum-include-so-many-older-packages |
@robmonct I'm unsure if that's the case. Some of the snyk issues you mentioned are actual issues which were just addressed today. The dependencies you're referring to may be the Please download a fresh The I wrote up a small issue here to help address more of these docker image dependency issues going forward #2890. Please feel free to comment there on the process if you have suggestions. |
Also the issues regarding older versions of terraform that snyk is flagging. We recently culled the 0.x versions from the container and the older 1.0.x, 1.1.x, 1.2.x, may be next to remove since terraform will auto download versions based on the hcl Now that we know that security is flagging those, it may give more credence to the argument of only supporting the latest tf version. |
I updated your comment here with summaries #2883 (comment) These ones out of scope
These ones in scope
The only remaining issues are in the For now, we are discussing using cc: @jamengual |
Thanks for your work @nitrocode scan results
This is the output scan for dev-debian
|
A lot of these are out of scope unfortunately. Please see my previous post and my edit of your last scan. Also please edit your post so it's a bit more digestible (see previous edit). The debian vulnerabilities are mostly from the binaries available from their stable repo unfortunately. If we downloaded from their unstable repo, we could avoid these vulnerabilities for debian but then we'd be trading stability for security. The older terraform binaries are also out of scope. |
Ok, thanks a lot for your work. Let's see if Hashicorp could fix those vulnerabilities but some of those versions seems to be a bit old. Do you think to offer a version of Atlantis with only Terraform 1.3.x and maybe another version with older TF versions to allow people between compatibility and security. Something like this: #2901 |
I do not think they will fix the vulnerabilities in older versions of terraform. May I ask, what is your current threat model? Why is it important to eliminate the older terraform version specific vulnerabilities from this container? And I'd also like to remind that we encourage users to customize their own image so removing the tf binaries or any other customizations are welcomed and encouraged downstream. We want to make the maintenance and stability as easy as possible from our side. |
The main problem is that GitHub doesn't provide the option to configure webhook headers, so it is not possible to use GCP IAP to protect the endpoint. |
@robmonct wouldn't the github web hook with a secret token be sufficient enough? |
No. For GCP IAP secret token isn't enough. |
Community Note
Overview of the Issue
According with GCP vulnerabilities scan, Atlantis latest versions are affected by 3 critical, 36 high and 5 medium vulnerabilities
Additional Context
Critical:
CVE-2022-23806
CVE-2021-38297
CVE-2022-26945
High:
CVE-2022-38149
CVE-2022-2879
CVE-2021-3121
CVE-2022-30630
CVE-2022-30631
CVE-2021-33194
CVE-2021-37219
CVE-2021-41771
CVE-2021-36213
CVE-2022-24675
CVE-2022-24921
CVE-2022-23772
CVE-2022-41715
CVE-2022-30323
CVE-2021-41772
CVE-2022-30635
CVE-2022-23773
CVE-2022-32190
CVE-2022-2880
CVE-2022-30322
CVE-2021-33196
CVE-2022-28131
CVE-2022-27664
CVE-2022-30632
CVE-2021-33198
CVE-2022-30633
CVE-2021-32574
CVE-2022-30321
CVE-2021-39293
CVE-2021-33195
CVE-2022-29153
CVE-2022-30580
CVE-2021-29923
CVE-2021-44716
CVE-2022-28327
CVE-2022-32189
Medium:
CVE-2021-33197
CVE-2022-32148
CVE-2022-41717
CVE-2022-40716
CVE-2018-1099
CVE-2020-29509
CVE-2022-29810
CVE-2021-34558
CVE-2022-1962
CVE-2021-38698
CVE-2022-29162
The text was updated successfully, but these errors were encountered: