Enable CRT based security scans

[david-yu]

Changes proposed in this PR:

• Enable vulnerability scanning as disabled per: [CRT] Disable security scans (for now) #1160
• At minimum we need binary.osv and binary.go_modules to be true as per https://github.com/hashicorp/security-scanner/issues/278#issuecomment-1222479784. But would like to know how this goes, so we can get ahead of CVEs that are low hanging fruit.

How I've tested this PR:

How I expect reviewers to test this PR:

Checklist:

• Tests added
• CHANGELOG entry added

  HashiCorp engineers only, community PRs should not add a changelog entry.
  Entries should use present tense (e.g. Add support for...)

[kschoche]

I don't suppose there is a pipeline we can check where this ran succesfully before merging?

[david-yu]

@picatz Is there a pipeline we can check to see if this ran successfully before merging?

[picatz]

I'm not sure if CRT has the ability to run the release pipeline outside of the normal release process. Though, I could be wrong about that! We would need to double check with release engineering.

Though, we can run the scan locally to see the results!

Created a scan.hcl file with the contents in this PR:

container {
	dependencies = true
	alpine_secdb = true
	secrets      = true
}

binary {
	secrets      = true
	go_modules   = true
	osv          = true
	oss_index    = true
	nvd          = true
}

Then downloaded the latest consul-k8s binary, and ran the scan:

$ ls
consul-k8s scan.hcl
$ scan binary ./consul-k8s 
Scanned file:{path:"./consul-k8s"} in 13.3s - found 29 result(s)
  » Go Modules Scanner
    ⚠︎ found NVD reported vulnerability CVE-2022-28131 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-30630 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-30632 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-30635 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-32148 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-1705 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-1962 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-30631 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-30633 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found NVD reported vulnerability CVE-2022-32189 in cpe:2.3:a:golang:go:1.18.3:*:*:*:*:*:*:*
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-c72p-9xmj-rx3w in github.com/containerd/containerd@v1.4.4
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-c2h3-6mxw-7mvq in github.com/containerd/containerd@v1.4.4
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-5j5w-g665-5m35 in github.com/containerd/containerd@v1.4.4
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-crp2-qrr5-8pq7 in github.com/containerd/containerd@v1.4.4
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-5ffw-gxpp-mxpf in github.com/containerd/containerd@v1.4.4
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-qq97-vm5h-rrhg in github.com/docker/distribution@v2.7.1+incompatible
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GO-2022-0379 in github.com/docker/distribution@v2.7.1+incompatible
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-hp87-p4gw-j4gq in gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GO-2022-0493 in golang.org/x/sys@v0.0.0-20220114195835-da31bd327af9
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-77vh-xpmg-72qh in github.com/opencontainers/image-spec@v1.0.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GO-2022-0322 in github.com/prometheus/client_golang@v1.11.0
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-gp4j-w3vj-7299 in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GO-2021-0085 in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-fgv8-vj5c-2ppq in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GO-2021-0087 in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-g54h-m393-cpwq in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-c3xm-pvg7-gh7r in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-v95c-p5hm-xq8f in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0
    ⚠︎ found OSV reported vulnerability GHSA-f3fp-gc8g-vw66 in github.com/opencontainers/runc@v0.1.1
        ./consul-k8s:0:0

Running the container scan on the latest hashicorp/consul-k8s:

$ scan container hashicorp/consul-k8s
Scanned docker:{owner:"hashicorp"  name:"consul-k8s"}  tag:"latest" in 41.8s - found 29 result(s)
  » Dependency Scanner
    ⚠︎ found reported vulnerability CVE-2021-42379 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42385 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42381 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42380 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42378 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42376 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42374 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42386 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42384 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42382 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2022-32208 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22923 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22922 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22925 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22926 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22946 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22947 from Alpine Linux's Security Issue Tracker in curl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42386 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42382 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42378 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42374 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42376 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42385 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42384 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42381 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42380 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-42379 from Alpine Linux's Security Issue Tracker in busybox@1.32.1-r6
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22924 from Alpine Linux's Security Issue Tracker in libcurl@7.77.0-r1
        /lib/apk/db/installed:0:0
    ⚠︎ found reported vulnerability CVE-2021-22945 from Alpine Linux's Security Issue Tracker in libcurl@7.77.0-r1
        /lib/apk/db/installed:0:0

[david-yu]

Thanks looks like @kschoche also ran them locally and got the same results. Are there any libraries here on consul-k8s CLI that might be on the higher priority side of updating? I would think maybe libcurl and curl?

[picatz]

I have not triaged the scan results to determine relative priority, but I would agree libcurl and curl are probably a good place to start!

Just to be clear, especially for external parties reading this: those cURL vulnerabilities aren't for the consul-k8s CLI (binary), since it doesn't use the cURL project at all. Those vulnerabilities are reported for the hashicorp/consul-k8s container, which seemingly installs curl.

FWIW, we should consider not installing curl at all, if possible. Not because it isn't helpful, it is. But because it's a common source of vulnerability scanner noise we can avoid. Happy to discuss this further, as it definitely has tradeoffs.

[david-yu]

Got it, the consul-k8s container is no longer supported as that was built and distributed for Consul 1.10.x and prior. We currently support Consul 1.11.x and higher.

[david-yu]

Do we want to invoke this earlier in the pipeline as opposed to on merge? We can you can invoke the security-scanner github action to do this: https://github.com/hashicorp/security-scanner#example-github-actions-usage

[david-yu]

Will close the PR as we first need to work on a process for addressing results of each scan. Will re-visit later.