Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Horusec: fix docker misconfiguration #13942

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Horusec: fix docker misconfiguration #13942

wants to merge 4 commits into from

Conversation

ErnestK
Copy link

@ErnestK ErnestK commented Apr 30, 2024
edited

What type of PR is this?

Bug fix

What does this PR do? Why is it needed?
After running the HorusEC tool on the Prysm repository,
several misconfigurations in Dockerfiles were detected (details provided below the spoiler).
This pull request aims to fix them

Running containers with 'root' user 
Language: Generic
Severity: HIGH
Line: 0
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /Users/.../prysm/.github/actions/gomodtidy/Dockerfile
Code: root user
Type: Vulnerability
ReferenceHash: 49099b0d2b0686ce3e0cb8e08691995be9ecca43fe18467fdf5ee1e28c8cdfaa
Details: (1/1) * Possible vulnerability detected: MissConfiguration
    Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
    Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
    Resolution: Add 'USER <non root user name>' line to the Dockerfile
    References: [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ https://avd.aquasec.com/appshield/ds002]
You should use COPY instead of ADD 
Language: Generic
Severity: LOW
Line: 0
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /Users/.../prysm/tools/cross-toolchain/Dockerfile
Code: ADD instead of COPY
Type: Vulnerability
ReferenceHash: b6531b86d3c2ac67764225661d153d41192a48493ec90b1ca788cdca7828ca3f
Details: (1/4) * Possible vulnerability detected: MissConfiguration
    You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
    Message: Consider using 'COPY common_osxcross.sh /tmp/common_osxcross.sh' command instead of 'ADD common_osxcross.sh /tmp/common_osxcross.sh'
    Resolution: Use COPY instead of ADD
    References: [https://docs.docker.com/engine/reference/builder/#add https://avd.aquasec.com/appshield/ds005]
       
(2/4) * Possible vulnerability detected: MissConfiguration
    You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
    Message: Consider using 'COPY install_clang_cross.sh /tmp/install_clang_cross.sh' command instead of 'ADD install_clang_cross.sh /tmp/install_clang_cross.sh'
    Resolution: Use COPY instead of ADD
    References: [https://docs.docker.com/engine/reference/builder/#add https://avd.aquasec.com/appshield/ds005]
       
(3/4) * Possible vulnerability detected: MissConfiguration
    You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
    Message: Consider using 'COPY install_osxcross.sh /tmp/install_osxcross.sh' command instead of 'ADD install_osxcross.sh /tmp/install_osxcross.sh'
    Resolution: Use COPY instead of ADD
    References: [https://docs.docker.com/engine/reference/builder/#add https://avd.aquasec.com/appshield/ds005]
       
(4/4) * Possible vulnerability detected: MissConfiguration
    You should use COPY instead of ADD unless you want to extract a tar file. Note that an ADD command will extract a tar file, which adds the risk of Zip-based vulnerabilities. Accordingly, it is advised to use a COPY command, which does not extract tar files.
    Message: Consider using 'COPY link_osxcross.sh /tmp/link_osxcross.sh' command instead of 'ADD link_osxcross.sh /tmp/link_osxcross.sh'
    Resolution: Use COPY instead of ADD
    References: [https://docs.docker.com/engine/reference/builder/#add https://avd.aquasec.com/appshield/ds005]

Which issues(s) does this PR fix?
fixes #13791

Other notes for review
This is an additional step for fixing all HorusEC vulnerabilities and a way to integrate HorusEC into CI.

@ErnestK ErnestK marked this pull request as ready for review April 30, 2024 20:51
@ErnestK ErnestK requested a review from a team as a code owner April 30, 2024 20:51
@ErnestK ErnestK changed the title [DRAFT] Horusec: fix docker misconfiguration Horusec: fix docker misconfiguration Apr 30, 2024
@ErnestK ErnestK mentioned this pull request Apr 30, 2024
Open
@prestonvanloon prestonvanloon self-requested a review May 7, 2024 17:15
prestonvanloon
prestonvanloon previously approved these changes May 7, 2024
View reviewed changes
prestonvanloon
prestonvanloon reviewed May 7, 2024
View reviewed changes
.github/actions/gomodtidy/Dockerfile
@@ -2,4 +2,6 @@ FROM golang:1.21-alpine

COPY entrypoint.sh /entrypoint.sh

USER nonroot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is failing this action now.

docker: Error response from daemon: unable to find user nonroot: no matching entries in passwd file.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@prestonvanloon fixed, re-review please

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

cp: can't create 'go.mod.orig': Permission denied

Please run CI locally using act

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prestonvanloon prestonvanloon prestonvanloon left review comments

@kasey kasey Awaiting requested review from kasey kasey is a code owner automatically assigned from prysmaticlabs/core-team

@nisdas nisdas Awaiting requested review from nisdas nisdas is a code owner automatically assigned from prysmaticlabs/core-team

@james-prysm james-prysm Awaiting requested review from james-prysm james-prysm is a code owner automatically assigned from prysmaticlabs/core-team

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Horusec report about vulnerabilities
2 participants
@ErnestK @prestonvanloon