ASP.NET Core Docker Sample

This repository can be used to demo Docker Scout with an ASP.NET Core application.

Build the image

Note: Enable containerd in your DD to make attestations work.

$ docker buildx b . -f Dockerfile.alpine \
  -t christiandupuis299/aspnetapp:main \
  --attest type=sbom,generator=docker/scout-sbom-indexer:1 \
  --provenance=1 --load --no-cache --platform linux/amd64,linux/arm64

CVEs

This sample has been modified from original to include some .NET Core specific vulnerabilties:

$ docker scout cves christiandupuis299/aspnetapp:main --only-package-type nuget
    ✓ SBOM obtained from attestation, 335 packages found
    ✓ Provenance obtained from attestation
    ✗ Detected 2 vulnerable packages with a total of 4 vulnerabilities


## Overview

                    │                Analyzed Image
────────────────────┼───────────────────────────────────────────────
  Target            │  christiandupuis299/aspnetapp:main
    digest          │  ac768bd0366f
    platform        │ linux/arm64
    provenance      │ ssh://github.com/dotnet/dotnet-docker
                    │  7d4d56941607d8521d500be152d66bb7d9e3dbf0
    vulnerabilities │    0C     1H     3M     0L
    size            │ 55 MB
    packages        │ 313
                    │
  Base image        │  mcr.microsoft.com/dotnet/aspnet:8.0-alpine
                    │  25b1e6815f4f


## Packages and Vulnerabilities

   0C     1H     0M     0L  Npgsql 8.0.1.0
pkg:nuget/[email protected]

Dockerfile.alpine (22:22)
COPY --from=build /app .

    ✗ HIGH CVE-2024-32655 [Integer Overflow or Wraparound]
      https://scout.docker.com/v/CVE-2024-32655
      Affected range  : >=8.0.0
                      : <8.0.3
      Fixed version   : 8.0.3
      CVSS Score      : 8.1
      CVSS Vector     : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
      EPSS Score      : 0.05%
      EPSS Percentile : 17th percentile


   0C     0H     3M     0L  BouncyCastle.Cryptography 2.3.0.53016
pkg:nuget/[email protected]

Dockerfile.alpine (22:22)
COPY --from=build /app .

    ✗ MEDIUM CVE-2024-30171 [Observable Discrepancy]
      https://scout.docker.com/v/CVE-2024-30171
      Affected range : <2.3.1
      Fixed version  : 2.3.1
      CVSS Score     : 5.9
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

    ✗ MEDIUM CVE-2024-30172 [Loop with Unreachable Exit Condition ('Infinite Loop')]
      https://scout.docker.com/v/CVE-2024-30172
      Affected range : <2.3.1
      Fixed version  : 2.3.1
      CVSS Score     : 5.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

    ✗ MEDIUM CVE-2024-29857 [Uncontrolled Resource Consumption]
      https://scout.docker.com/v/CVE-2024-29857
      Affected range : <2.3.1
      Fixed version  : 2.3.1
      CVSS Score     : 5.3
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L



4 vulnerabilities found in 2 packages
  LOW       0
  MEDIUM    3
  HIGH      1
  CRITICAL  0

Policy

With containerd enabled, local policy evaluation will work and yield some interesting results:

docker scout policy christiandupuis299/aspnetapp:main
    ✓ SBOM obtained from attestation, 335 packages found
    ✓ Provenance obtained from attestation
    ✓ Policy evaluation completed


## Overview

             │           Analyzed Image
─────────────┼──────────────────────────────────────
  Target     │  christiandupuis299/aspnetapp:main
    digest   │  64f44fb1d7d4
    platform │ linux/arm64


## Policies

Policy status  FAILED  (6/9 policies met)

  Status │                     Policy                      │           Results
─────────┼─────────────────────────────────────────────────┼──────────────────────────────
  ✓      │ Copyleft licenses                               │    0 packages
  !      │ Default non-root user                           │
  !      │ Fixable critical and high CVEs (Production SLA) │    4 deviations
  ✓      │ Fixable critical and high vulnerabilities       │    0C     0H     0M     0L
  ✓      │ High-profile vulnerabilities                    │    0C     0H     0M     0L
  ✓      │ No embedded secrets                             │    0 deviations
  ✓      │ Outdated base images                            │
  ✓      │ Supply chain attestations                       │    0 deviations
  !      │ Unapproved base images                          │    1 deviation


## "Default non-root user" policy evaluation results
Ensures the image specifies a non-root username (or UID) for the final stage.

  User │ Explicit
───────┼───────────
  root │ false


## "Fixable critical and high CVEs (Production SLA)" policy evaluation results
This policy checks for fixable critical and high CVEs

                                Purl                               │ Vulnerability  │  Fixed by  │ Severity │ Score │     Epss
───────────────────────────────────────────────────────────────────┼────────────────┼────────────┼──────────┼───────┼───────────────
  pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42366 │ 1.36.1-r16 │ MEDIUM   │ 5.50  │ 0.04% (0.12)
  pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42363 │ 1.36.1-r17 │ MEDIUM   │ 5.50  │ 0.04% (0.12)
  pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42364 │ 1.36.1-r17 │ MEDIUM   │ 5.50  │ 0.04% (0.12)
  pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42365 │ 1.36.1-r17 │ MEDIUM   │ 5.50  │ 0.04% (0.12)


## "Unapproved base images" policy evaluation results
Base images must be from approved sources.

                  Base image                 │                   Reason
─────────────────────────────────────────────┼──────────────────────────────────────────────
  mcr.microsoft.com/dotnet/aspnet:8.0-alpine │ Does not match any approved glob expression

---

This sample demonstrates how to build container images for ASP.NET Core web apps. See .NET Docker Samples for more samples.

Note: .NET 8 container images use port 8080, by default. Previous .NET versions used port 80. The instructions for the sample assume the use of port 8080.

Run the sample image

You can start by launching a sample from our container registry and access it in your web browser at http://localhost:8000.

docker run --rm -it -p 8000:8080 -e ASPNETCORE_HTTP_PORTS=8080 mcr.microsoft.com/dotnet/samples:aspnetapp

You can also call an endpoint that the app exposes:

$ curl http://localhost:8000/Environment
{"runtimeVersion":".NET 8.0.0-preview.6.23329.7","osVersion":"Ubuntu 22.04.2 LTS","osArchitecture":"Arm64","user":"app","processorCount":4,"totalAvailableMemoryBytes":4124442624,"memoryLimit":0,"memoryUsage":31518720,"hostName":"78e2b2cfc0e8"}

This container image is built with Ubuntu Chiseled, with Dockerfile.

Change port

You can change the port ASP.NET Core uses with one of the following environment variables. However, port 8080 (set by default) is recommended.

The following examples change the port to port 80.

Supported with .NET 8+:

ASPNETCORE_HTTP_PORTS=80

Supported with .NET Core 1.0+

ASPNETCORE_URLS=http://+:80 

Note: ASPNETCORE_URLS overwrites ASPNETCORE_HTTP_PORTS if set.

These environment variables are used in .NET 8 and .NET 6 Dockerfiles, respectively.

Build image

You can built an image using one of the provided Dockerfiles.

docker build --pull -t aspnetapp .
docker run --rm -it -p 8000:8080 -e ASPNETCORE_HTTP_PORTS=8080 aspnetapp

You should see the following console output as the application starts:

> docker run --rm -it -p 8000:8080 -e ASPNETCORE_HTTP_PORTS=8080 aspnetapp
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://[::]:8080
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.

After the application starts, navigate to http://localhost:8000 in your web browser. You can also view the ASP.NET Core site running in the container from another machine with a local IP address such as http://192.168.1.18:8000.

Note: ASP.NET Core apps (in official images) listen to port 8080 by default, starting with .NET 8. The -p argument in these examples maps host port 8000 to container port 8080 (host:container mapping). The container will not be accessible without this mapping. ASP.NET Core can be configured to listen on a different or additional port.

You can see the app running via docker ps.

$ docker ps
CONTAINER ID   IMAGE                                        COMMAND         CREATED          STATUS                    PORTS                  NAMES
d79edc6bfcb6   mcr.microsoft.com/dotnet/samples:aspnetapp   "./aspnetapp"   35 seconds ago   Up 34 seconds (healthy)   0.0.0.0:8080->8080/tcp   nice_curran

You may notice that the sample includes a health check, indicated in the "STATUS" column.

Build image with the SDK

The easiest way to build images is with the SDK.

dotnet publish /p:PublishProfile=DefaultContainer

That command can be further customized to use a different base image and publish to a container registry. You must first use docker login to login to the registry.

dotnet publish /p:PublishProfile=DefaultContainer /p:ContainerBaseImage=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled /p:ContainerRegistry=docker.io /p:ContainerRepository=youraccount/aspnetapp

Supported Linux distros

The .NET Team publishes images for multiple distros.

Samples are provided for:

• Alpine
• Alpine with Composite ready-to-run image
• Alpine with ICU installed
• Debian
• Ubuntu
• Ubuntu Chiseled
• Ubuntu Chiseled with Composite ready-to-run image

Supported Windows versions

The .NET Team publishes images for multiple Windows versions. You must have Windows containers enabled to use these images.

Samples are provided for

• Nano Server
• Windows Server Core
• Windows Server Core with IIS

Windows variants of the sample can be pulled via one the following registry addresses:

• mcr.microsoft.com/dotnet/samples:aspnetapp-nanoserver-1809
• mcr.microsoft.com/dotnet/samples:aspnetapp-nanoserver-ltsc2022