Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dockerfile: switch to chainguard image to reduce CVEs #78

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

dockerfile: switch to chainguard image to reduce CVEs #78

wants to merge 1 commit into from

Conversation

tuananh
Copy link

@tuananh tuananh commented Jul 3, 2023
edited
Loading

switch from debian:buster-slim to Chainguard's glibc-dynamic image as base to reduce CVEs.

Below are result when scan with trivy.

before:

larrabee/s3sync (debian 10.5)

Total: 216 (UNKNOWN: 5, LOW: 93, MEDIUM: 36, HIGH: 63, CRITICAL: 19)

after:

2023-07-03T02:54:46.447Z        INFO    Vulnerability scanning is enabled
2023-07-03T02:54:46.447Z        INFO    Secret scanning is enabled
2023-07-03T02:54:46.447Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-07-03T02:54:46.447Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-07-03T02:54:46.451Z        INFO    Detected OS: wolfi
2023-07-03T02:54:46.451Z        INFO    Detecting Wolfi vulnerabilities...
2023-07-03T02:54:46.451Z        INFO    Number of language-specific files: 1
2023-07-03T02:54:46.451Z        INFO    Detecting gobinary vulnerabilities...

s3sync:test (wolfi 20230201)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


s3sync (gobinary)

Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.294         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@tuananh