containers
containers copied to clipboard
Biocontainers - security related questions
Hi
We are trying to adopt Biocontainers as much as possible for our workflows. In this regard, there are often questions/concerns about security if using Biocontainers. This is of particular concern ever since the log4j stuff surfaced end of last year
The request:
Could you share any resources you might have around this that would allay the concerns as we (the tool developers) have to address these with Audits etc . Concerns around
- will there be some malicious software in there
- how to be know what went into the actual Dockerfile that created that Biocontainer from the Bioconda recipe
- docker build logs
It would be great if you could point to any existing resources - the pages here are empty https://github.com/BioContainers/containers/security
Thanks in advance,
Hi, Security is a bit complex.
For containers built from github, you havr the dockerfile, and build log is accessible from related PR (for a amount of time).
For those built from bioconda (hosted on quay.io), there is no dockerfile nor related build log, but it is basically a conda install of the package on a busybox base.
Quite recent containers have security scan results available via tool page on registry web site. You can also scan yourself aby container. But a scan will often result in may CVE, the problem is to know if those cve can be used in the context of the tool usage. Log4j cve for example, may be detected, but issue was only for some log4j configurations. So a scan may show an issue though it may not be exploited.
Additionally, you may look at a container security scan one day, then use it in your workflow. But some days after, a new issue may raise, and you won t be aware of this unless you constantly check your containers. And you should find why container version may fix the issue.
I think it is easier, when considering container security, to scan yourself on regular basis the containers you use. But you will anyway need the tool knowledge to understand if cve is an issue or not in the way you use the tool.
Thanks a lot @osallou - this is really helpful
One question: Can you point me to a recent example for this (or any example which has a build log)
For containers built from github, you havr the dockerfile, and build log is accessible from related PR (for a amount of time).
Hi @osallou
This particular tool - bamdst - does not have a bioconda recipe. - I have also requested the tool author to have a bioconda recipe.
Can you advise how best I can submit a BioContainer request for the same from Github and using this paradigm that you mentioned:
For containers built from github, you havr the dockerfile, and build log is accessible from related PR (for a amount of time).
If it helps, this below is my Dockerfile that I used for my own purposes. I feel it would be beneficial to have this available via Biocontainers too
################## BASE IMAGE ######################
FROM ubuntu:20.04
################## METADATA ######################
LABEL base_image="ubuntu:20.04"
LABEL version="1"
LABEL software="bamdst"
LABEL software.version="1.0.9"
LABEL about.summary="bamdst - a BAM Depth Stat Tool"
LABEL about.home="https://github.com/shiquan/bamdst"
LABEL about.documentation="https://github.com/shiquan/bamdst#readme"
LABEL about.license_file="https://github.com/shiquan/bamdst/blob/master/LICENSE"
LABEL about.license="MIT"
LABEL about.tags="Genomics"
ENV DEBIAN_FRONTEND=noninteractive
ENV LANG C.UTF-8
ENV TZ 'America/Indiana/Indianapolis'
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone && \
apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
ca-certificates \
git \
libncurses5-dev zlib1g-dev libbz2-dev liblzma-dev libcurl3-dev \
perl \
wget \
&& cd /usr/local/bin \
&& apt-get clean && apt-get purge \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN git clone https://github.com/shiquan/bamdst.git && \
cd bamdst && \
make && \
cp bamdst /usr/local/bin/
RUN wget -qO- \
https://github.com/shenwei356/csvtk/releases/download/v0.24.0/csvtk_linux_amd64.tar.gz \
| tar -xz && \
cp csvtk /usr/local/bin/
WORKDIR /data/
Please note: This tool is not developed by me - I am just showing how I created a Docker image for the code in the bamdst GH repo.
Thanks in advance.
Thanks a lot @osallou - this is really helpful
One question: Can you point me to a recent example for this (or any example which has a build log)
For containers built from github, you havr the dockerfile, and build log is accessible from related PR (for a amount of time).
Can look at pr 453.
Log is in checks
https://github.com/BioContainers/containers/runs/7151069828?check_suite_focus=true
Thanks @osallou - I am closing this