fix(plugin-keychain-vault): fix CVE-2024-0553 in vault server image

1. The solution here was to migrate the image from Debian to Ubuntu because it seems to not have the same vulnerabilities as the lastest stable Debian image does, so the change itself is to move to Ubuntu 24.04 LTS. 2. Also upgraded the Rust toolchain to the current latest which mandated a couple of small code changes that are also added in this commit. The original security report from Trivy that we've discoverd on the CI: ┌─────────────┬───────────────┬──────────┬───────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ ├─────────────┼───────────────┼──────────┼───────────────────┤ │ libgnutls30 │ CVE-2024-0553 │ HIGH │ 3.6.7-4+deb10u11 │ │ │ │ │ │ └─────────────┴───────────────┴──────────┴───────────────────┘ ... ┬──────────────────┬───────────────────────────────────────────┐ │ Fixed Version │ Title │ ┼──────────────────┼───────────────────────────────────────────┤ │ 3.6.7-4+deb10u12 │ gnutls: incomplete fix for CVE-2023-5981 │ │ │ https://avd.aquasec.com/nvd/cve-2024-0553 │ ┴──────────────────┴───────────────────────────────────────────┘ Signed-off-by: Peter Somogyvari <[email protected]>
hyperledger-cacti · Mar 19, 2024 · 1eacf7e · 1eacf7e · github-actions · Mar 19, 2024
1 parent 154ea7d
commit 1eacf7e
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile b/packages/cactus-plugin-keychain-vault/src/cactus-keychain-vault-server/Dockerfile
@@ -1,16 +1,22 @@
-FROM rust:1.63.0 as builder
+FROM rust:1.76.0-slim-bookworm as builder
+
+RUN apt-get update -y && \
+    apt-get upgrade -y && \
+    apt-get install -y libssl-dev pkg-config
 
 WORKDIR /
 RUN USER=root cargo new --bin cactus-keychain-vault-server
 WORKDIR /cactus-keychain-vault-server
 ADD ./rust/gen/ ./
 RUN cargo build --release --example server
 
-FROM debian:buster-slim
+FROM ubuntu:24.04
 ARG APP=/usr/src/app
 
-RUN apt-get update
-RUN apt-get install -y ca-certificates tzdata curl tini
+
+RUN apt-get update -y && \
+    apt-get upgrade -y && \
+    apt-get install -y ca-certificates tzdata curl tini
 RUN rm -rf /var/lib/apt/lists/*
 
 

diff --git a/...plugin-keychain-vault/src/cactus-keychain-vault-server/rust/gen/examples/server/server.rs b/...plugin-keychain-vault/src/cactus-keychain-vault-server/rust/gen/examples/server/server.rs
@@ -85,7 +85,6 @@ impl<C> Api<C> for Server<C> where C: Has<XSpanIdString> + Send + Sync
         get_keychain_entry_request: models::GetKeychainEntryRequest,
         context: &C) -> Result<GetKeychainEntryResponse, ApiError>
     {
-        let context = context.clone();
         info!("get_keychain_entry({:?}) - X-Span-ID: {:?}", get_keychain_entry_request, context.get().0.clone());
 
         // FIXME implement connection pooling
@@ -112,7 +111,6 @@ impl<C> Api<C> for Server<C> where C: Has<XSpanIdString> + Send + Sync
         set_keychain_entry_request: models::SetKeychainEntryRequest,
         context: &C) -> Result<SetKeychainEntryResponse, ApiError>
     {
-        let context = context.clone();
         info!("set_keychain_entry({:?}) - X-Span-ID: {:?}", set_keychain_entry_request, context.get().0.clone());
 
         // FIXME implement connection pooling
Benchmark suite	Current: `1eacf7e`	Previous: `154ea7d`	Ratio
`cmd-api-server_HTTP_GET_getOpenApiSpecV1`	`588` ops/sec (`±1.61%`)	`598` ops/sec (`±1.68%`)	`1.02`
`cmd-api-server_gRPC_GetOpenApiSpecV1`	`365` ops/sec (`±1.23%`)	`370` ops/sec (`±1.31%`)	`1.01`