Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Dockerfile warnings #10505

Merged
merged 2 commits into from
Jul 12, 2024
Merged

fix: Dockerfile warnings #10505

merged 2 commits into from
Jul 12, 2024

Conversation

fcecagno
Copy link
Contributor

@fcecagno fcecagno commented Jul 3, 2024

Description

When building the latest code, I got a few warnings from Docker:

5 warnings found (use --debug to expand):
- FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 8)
- FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 9)
- FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 35)
- FromAsCasing: 'as' and 'FROM' keywords' casing do not match (line 144)
- LegacyKeyValueFormat: "ENV key=value" should be used instead of legacy "ENV key value" format (line 40)

Docker version:

$ docker --version
Docker version 27.0.1, build 7fafd33

This PR doesn't change any functionality, just handles the warnings.

@github-actions github-actions bot added the docker label Jul 3, 2024
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 3, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
IDOR Analyzer 0 findings
Sensitive Files Analyzer 0 findings
SQL Injection Analyzer 0 findings
Authn/Authz Analyzer 0 findings
Secrets Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on updating the Docker build infrastructure for the application, including the Dockerfiles for the integration tests, the Django application, and the Nginx web server. The changes primarily involve updating base images, installing dependencies, generating pre-compiled Python packages, and configuring the various components of the application's deployment.

From an application security perspective, the changes introduce several security-conscious practices, such as:

  1. Specific Base Image Versions: The Dockerfiles use specific SHA256 digests for the base images, ensuring the same versions are used consistently, which helps with reproducibility and security.
  2. Dependency Management: The Dockerfiles install various system-level dependencies required for the application, such as database clients, XML security libraries, and development tools. Proper management of these dependencies is crucial for minimizing the risk of vulnerabilities.
  3. User Isolation: The Dockerfiles set up dedicated non-root users to run the application, which helps isolate the application from the host system and reduce the potential impact of security vulnerabilities.
  4. Permissions Management: The Dockerfiles set appropriate permissions for the application files and directories, ensuring the application can access the necessary resources while minimizing the risk of unauthorized access or modification.
  5. Environment Variable Handling: The Dockerfiles set various environment variables for the application, including sensitive information like admin user details. Ensuring these variables are properly secured and not exposed in the build process is important for maintaining application security.

Overall, the changes in this pull request appear to be focused on improving the build infrastructure and deployment of the application, with a strong emphasis on security best practices. As an application security engineer, I would recommend closely reviewing the application's overall security posture, including the configuration and deployment of the Docker images, to ensure the continued security and integrity of the application.

Files Changed:

  1. Dockerfile.integration-tests-debian: This Dockerfile is used for building the Docker image for the application's integration tests. The changes include updating the base images, installing additional dependencies (such as Google Chrome and its driver), and setting up various utility scripts for the integration tests.
  2. Dockerfile.django-alpine: This Dockerfile is used for building the Docker image for the Django application running on Alpine Linux. The changes include updating the base image, renaming build stages, and improving the handling of the unit tests.
  3. Dockerfile.nginx-alpine: This Dockerfile is used for building the Docker image for the Nginx web server in the application's deployment. The changes include updating the base image, installing Node.js and Yarn, and configuring the Nginx server.
  4. Dockerfile.django-debian: This Dockerfile is used for building the Docker image for the Django application running on Debian Linux. The changes include updating the base image, installing dependencies, generating pre-compiled Python packages, and setting up the application's deployment.
  5. Dockerfile.nginx-debian: This Dockerfile is used for building the Docker image for the Nginx web server in the Debian-based deployment. The changes include updating the base image, installing additional dependencies, and configuring the Nginx server.

Powered by DryRun Security

@kiblik
Copy link
Contributor

kiblik commented Jul 3, 2024

Some linter would be helpful. Would this one help? https://github.com/marketplace/actions/docker-lint If so, it might be added.

mtesauro
mtesauro approved these changes Jul 3, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 8, 2024

This pull request has conflicts, please resolve those before we can evaluate the pull request.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 8, 2024

Conflicts have been resolved. A maintainer will review the pull request shortly.

@mtesauro mtesauro merged commit 4edde4d into DefectDojo:dev Jul 12, 2024
124 of 125 checks passed
mwager added a commit to mwager/django-DefectDojo that referenced this pull request Jul 16, 2024
@mwager
Merge branch 'kiuwan-sca' of github.com:mwager/django-DefectDojo into…
b225ff2 
… kiuwan-sca

# By dependabot[bot] (13) and others
# Via GitHub
* 'kiuwan-sca' of github.com:mwager/django-DefectDojo: (39 commits)
  Deprecate Python-jose and migrate okta to python_social_auth (DefectDojo#10117)
  fix: dockerfile warnings (DefectDojo#10505)
  Ruff: Add and fix Q000 (DefectDojo#10095)
  Fix(django): Upgrade of 4.2 (DefectDojo#10553)
  fix(deps): build python psycopg3 dependency instead of use the pre-build binary (DefectDojo#10491)
  Bump coverage from 7.5.4 to 7.6.0 (DefectDojo#10560)
  Bump asteval from 1.0.0 to 1.0.1 (DefectDojo#10561)
  Bump djangorestframework from 3.14.0 to 3.15.2 (DefectDojo#10431)
  Bump boto3 from 1.34.142 to 1.34.143 (DefectDojo#10558)
  Bump django-debug-toolbar from 4.4.5 to 4.4.6 (DefectDojo#10557)
  Bump boto3 from 1.34.141 to 1.34.142 (DefectDojo#10551)
  Bump packageurl-python from 0.15.2 to 0.15.3 (DefectDojo#10541)
  Bump boto3 from 1.34.140 to 1.34.141 (DefectDojo#10542)
  Update helm lock file
  Update versions in application files
  Update versions in application files
  API: Convert get_filterset calls to get_queryset (DefectDojo#10543)
  Bump django-debug-toolbar from 4.4.4 to 4.4.5 (DefectDojo#10527)
  Fix ruff
  Ruff fix
  ...

# Conflicts:
#	dojo/settings/.settings.dist.py.sha256sum
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Maffooch Maffooch Maffooch approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

@grendel513 grendel513 grendel513 approved these changes

Assignees
No one assigned
Labels
docker
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@fcecagno @kiblik @grendel513 @cneill @mtesauro @Maffooch