Dockerfiles use outdated terraform (and tf providers) with critical vulnerabilities

[jeremypetit-grtgaz]

Kics docker images raise security issues (using trivy).

Expected Behavior

Critical (and maybe high) severity vulnerabilities should be fixed.
Bumping terraform and its providers to last stable releases should fix that (similar to what was done to ./Dockerfile in #5492 ).

Actual Behavior

Latest kics docker images raise critical security issues on terraform binary and on terraform-azure provider binary.

checkmarx/kics:ubi8 (redhat 8.7)
================================
Total: 0 (CRITICAL: 0)


root/.terraform.d/plugins/linux_amd64/terraform-provider-azurerm_v2.95.0_x5 (gobinary)
======================================================================================
Total: 1 (CRITICAL: 1)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                   Title                    │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2022-26945 │ CRITICAL │ v1.5.4            │ 1.6.1         │ go-getter: command injection vulnerability │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-26945 │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

usr/bin/terraform (gobinary)
============================
Total: 2 (CRITICAL: 2)

┌────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/Masterminds/goutils │ CVE-2021-4238  │ CRITICAL │ v1.1.0            │ v1.1.1        │ goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are │
│                                │                │          │                   │               │ not as random as they should be...                           │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2021-4238                    │
├────────────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/hashicorp/go-getter │ CVE-2022-26945 │          │ v1.5.9            │ 1.6.1         │ go-getter: command injection vulnerability                   │
│                                │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-26945                   │
└────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

Steps to Reproduce the Problem

# print critical severity CVEs
docker run aquasec/trivy image --severity CRITICAL checkmarx/kics:v1.6.10-ubi8
...

# print high severity CVEs
docker run aquasec/trivy image --severity HIGH checkmarx/kics:v1.6.10-ubi8
...

[kaplanlior]

hashicorp/terraform#32606 says goutils doesn't affect terraform. We'll upgrade in any case for the latest stable which has this fix (1.3.9).

[gabriel-cx]

Hi @jeremypetit-grtgaz,

Thank you for your feedback on this!
We merged now a fix for this situation. And today we will release a new KICS version that will contain this fix as well.