Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update prometheus and docker libraries. fixes multiple security issues #1716

Merged
merged 1 commit into from
May 6, 2022

Conversation

hilariocoelho
Copy link
Contributor

@hilariocoelho hilariocoelho commented May 6, 2022

Related to this PR

Current prometheus client golang lib being used by of-watchod contains a vulnerability that has been fixed on v1.11.1 here

Description

As you can see, the generated docker container of gateway contains multiple vulnerabilities as reported by grype:

% syft ghcr.io/openfaas/gateway:0.21.3 --output json | grype
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [36 packages]
NAME                                 INSTALLED            FIXED-IN    TYPE       VULNERABILITY        SEVERITY
busybox                              1.33.1-r6            1.33.1-r7   apk        CVE-2022-28391       Critical
github.com/docker/distribution       v2.7.1+incompatible  2.8.0       go-module  GHSA-qq97-vm5h-rrhg  Low
github.com/prometheus/client_golang  v1.9.0                           go-module  CVE-2022-21698       High
google.golang.org/protobuf           v1.26.0                          go-module  CVE-2015-5237        High
google.golang.org/protobuf           v1.26.0                          go-module  CVE-2021-22570       High
libcrypto1.1                         1.1.1l-r0                        apk        CVE-2021-4160        Medium
libcrypto1.1                         1.1.1l-r0            1.1.1n-r0   apk        CVE-2022-0778        High
libretls                             3.3.3p1-r2           3.3.3p1-r3  apk        CVE-2022-0778        High
libssl1.1                            1.1.1l-r0                        apk        CVE-2021-4160        Medium
libssl1.1                            1.1.1l-r0            1.1.1n-r0   apk        CVE-2022-0778        High
ssl_client                           1.33.1-r6            1.33.1-r7   apk        CVE-2022-28391       Critical
zlib                                 1.2.11-r3            1.2.12-r0   apk        CVE-2018-25032       High 

After updating github.com/prometheus/client_golang and github.com/docker/distribution libraries, and simply recreate the container running make build-gateway almost all vulnerabilities are fixed. This is due to those libraries update and the use of a new Alpine image (since the dockerfile is pinning the minor version 3.15 as you can see here):

% syft docker.io/openfaas/gateway:latest-dev --output json | grype
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [36 packages]
NAME                        INSTALLED  FIXED-IN  TYPE       VULNERABILITY   SEVERITY 
google.golang.org/protobuf  v1.26.0              go-module  CVE-2021-22570  High      
google.golang.org/protobuf  v1.26.0              go-module  CVE-2015-5237   High  

Motivation and Context

Fix security vulnerabilities.

Prometheus vulnerability is IMO the most concerning issue as discussed on the above referred PR.

To any concerned user, @Jack64 did a great risk assessment of Prometheus vulnerability here

How Has This Been Tested?

Using grype

Checked both changelogs (Prometheus and Docker libraries) and none include breaking changes.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I've read the CONTRIBUTION guide
  • I have signed-off my commits with git commit -s
  • I have added tests to cover my changes.
  • All new and existing tests passed.

@derek
Copy link

derek bot commented May 6, 2022

Thank you for your contribution. unfortunately, one or more of your commits are missing the required "Signed-off-by:" statement. Signing off is part of the Developer Certificate of Origin (DCO) which is used by this project.

Read the DCO and project contributing guide carefully, and amend your commits using the git CLI. Note that this does not require any cryptography, keys or special steps to be taken.

💡 Shall we fix this?

This will only take a few moments.

First, clone your fork and checkout this branch using the git CLI.

Next, set up your real name and email address:

git config --global user.name "Your Full Name"
git config --global user.email "[email protected]"

Finally, run one of these commands to add the "Signed-off-by" line to your commits.

If you only have one commit so far then run: git commit --amend --signoff and then git push --force.
If you have multiple commits, watch this video.

Check that the message has been added properly by running "git log".

@hilariocoelho
Copy link
Contributor Author

@alexellis please have a look at this as soon as you can. Also, you said that you were willing to merge openfaas/of-watchdog#134 even though without functional tests... when are you expecting to do it?

@alexellis
Copy link
Member

Hi,

Thanks for your contribution.

A similar PR will be required for the classic watchdog

This is due to those libraries update and the use of a new Alpine image (since the dockerfile is pinning the minor version 3.15 as you can see.

Pinning of container images is a best practice, I'm not sure what you're suggesting as an alternative, but using the latest tag would be an anti-pattern.

Does alpine:3.15 not contain the fix for 1.33.1-r6? My understanding was that the builds for the latest patch releases i.e. 3.15.4 overwrite the tracking number of 3.15: https://github.com/docker-library/official-images/blob/master/library/alpine

If that's true, then only a rebuild is required to get the latest updates for the openssl package.

Regards,

Alex

@hilariocoelho
Copy link
Contributor Author

Hi,

Thanks for your contribution.

A similar PR will be required for the classic watchdog

This is due to those libraries update and the use of a new Alpine image (since the dockerfile is pinning the minor version 3.15 as you can see.

Pinning of container images is a best practice, I'm not sure what you're suggesting as an alternative, but using the latest tag would be an anti-pattern.

Does alpine:3.15 not contain the fix for 1.33.1-r6? My understanding was that the builds for the latest patch releases i.e. 3.15.4 overwrite the tracking number of 3.15: https://github.com/docker-library/official-images/blob/master/library/alpine

If that's true, then only a rebuild is required to get the latest updates for the openssl package.

Regards,

Alex

Yes exactly. You are right about the version pinning and all that. It's what I tried to say. All the other vulnerabilities are automatically fixed just by building the container again because the 3.15 alpine tag gets overwrite with 3.15.4.

I was not suggesting any modification regarding to that. I was pointing out that it does fixes the other vulnerabilities.

@alexellis
Copy link
Member

Please see the video for instructions on how to either squash or rebase your commits so that both of them are signed-off, Derek linked you to a video for this: https://www.youtube.com/watch?v=8j0H6urZ-bU

update docker/distribution lib

Signed-off-by: Hilário Coelho <[email protected]>
@hilariocoelho
Copy link
Contributor Author

Please see the video for instructions on how to either squash or rebase your commits so that both of them are signed-off, Derek linked you to a video for this: https://www.youtube.com/watch?v=8j0H6urZ-bU

done

@alexellis
Copy link
Member

I've checked out the code and ran go mod vendor to verify that the vendored files supplied are not different from upstream.

@alexellis alexellis merged commit a530b9d into openfaas:master May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants