kodiak
kodiak copied to clipboard
Published
20 hours ago •
chdsbd
chdsbd
docker image scan reports issues
The docker image (cdignam/kodiak:v0.52.0) mentioned in the docs for selfhosting does not have a great reputation when it comes to security.
A trivy scan shows 199 critical issues in the latest release.
cdignam/kodiak:v0.52.0 (debian 10.0)
====================================
Total: 4018 (UNKNOWN: 7, LOW: 1309, MEDIUM: 1360, HIGH: 1143, CRITICAL: 199)
It seems that new versions add more critical cve's, (v0.50.0 had 157).
What is going on here?
What tool are you using to generate this report?
If you send me a list of CVEs, I can check if they impact Kodiak.
Running trivy on the latest release I get:
22-07-04T17:59:10.298-0400 INFO Table result includes only package filenames. Use '--format json' option to get the full path to the package file.
Python (python-pkg)
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 1)
┌────────────────────┬────────────────┬──────────┬───────────────────┬─────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ PyJWT (METADATA) │ CVE-2022-29217 │ HIGH │ 1.7.1 │ 2.4.0 │ python-jwt: Key confusion through non-blocklisted public key │
│ │ │ │ │ │ formats │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29217 │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ httpx (METADATA) │ CVE-2021-41945 │ CRITICAL │ 0.18.1 │ 0.20.0 │ Encode OSS httpx < 0.23.0 is affected by improper input │
│ │ │ │ │ │ validation ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-41945 │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ipython (METADATA) │ CVE-2022-21699 │ HIGH │ 7.27.0 │ 6.0.0rc1, 7.16.3, 7.31.1, 8.0.1 │ IPython (Interactive Python) is a command shell for │
│ │ │ │ │ │ interactive comput ... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21699 │
├────────────────────┼────────────────┼──────────┼───────────────────┼─────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ pip (METADATA) │ CVE-2021-3572 │ MEDIUM │ 19.2.1 │ 21.1 │ python-pip: Incorrect handling of unicode separators in git │
│ │ │ │ │ │ references │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-3572 │
└────────────────────┴────────────────┴──────────┴───────────────────┴─────────────────────────────────┴──────────────────────────────────────────────────────────────┘
- jwt issue was addressed in: https://github.com/chdsbd/kodiak/issues/821
- httpx, the linked site from the tool is hard to read so:
- the GitHub issue: https://github.com/encode/httpx/issues/2184
- nist site: https://nvd.nist.gov/vuln/detail/CVE-2021-41945 Kodiak isn't affected due to our usage of the library / not using user provided URLs, but still probably worth upgrading. Only caveat is the last time we tried upgrading we hit some serious bugs that caused a production incident: https://github.com/chdsbd/kodiak/issues/736
- ipython, we're not running that in prod
- pip, also not running that in prod
Of course I'm only looking at the python specific output, if you grab the entire output of that tool you get 15,000 lines of output aka garbage.
I think this tool suffers from a similar problem to npm audit: https://overreacted.io/npm-audit-broken-by-design/
Digging into the output a bit more, here's the output in a less verbose form where the key is the package name and the value is the number of CVEs associated with it.
{
"apt": 3,
"bash": 1,
"binutils": 61,
"binutils-common": 61,
"binutils-x86-64-linux-gnu": 61,
"bsdutils": 2,
"comerr-dev": 3,
"coreutils": 2,
"cpp-8": 2,
"curl": 23,
"dirmngr": 2,
"dpkg": 1,
"dpkg-dev": 1,
"e2fsprogs": 3,
"fdisk": 2,
"file": 1,
"g++-8": 2,
"gcc-8": 2,
"gcc-8-base": 2,
"gir1.2-rsvg-2.0": 1,
"git": 16,
"git-man": 16,
"gnupg": 2,
"gnupg-l10n": 2,
"gnupg-utils": 2,
"gpg": 2,
"gpg-agent": 2,
"gpg-wks-client": 2,
"gpg-wks-server": 2,
"gpgconf": 2,
"gpgsm": 2,
"gpgv": 2,
"gzip": 1,
"icu-devtools": 2,
"imagemagick": 106,
"imagemagick-6-common": 106,
"imagemagick-6.q16": 106,
"iproute2": 1,
"krb5-multidev": 5,
"libapt-pkg5.0": 3,
"libasan5": 2,
"libatomic1": 2,
"libbinutils": 61,
"libblkid-dev": 2,
"libblkid1": 2,
"libbsd0": 1,
"libc-bin": 22,
"libc-dev-bin": 22,
"libc6": 22,
"libc6-dev": 22,
"libcairo-gobject2": 5,
"libcairo-script-interpreter2": 5,
"libcairo2": 5,
"libcairo2-dev": 5,
"libcc1-0": 2,
"libcom-err2": 3,
"libcroco3": 3,
"libcurl3-gnutls": 23,
"libcurl4": 23,
"libcurl4-openssl-dev": 23,
"libdb5.3": 1,
"libdb5.3-dev": 1,
"libde265-0": 19,
"libdjvulibre-dev": 11,
"libdjvulibre-text": 11,
"libdjvulibre21": 11,
"libdpkg-perl": 1,
"libexif-dev": 10,
"libexif12": 10,
"libexpat1": 18,
"libexpat1-dev": 18,
"libext2fs2": 3,
"libfdisk1": 2,
"libfreetype6": 5,
"libfreetype6-dev": 5,
"libfribidi0": 4,
"libgcc-8-dev": 2,
"libgcc1": 2,
"libgcrypt20": 4,
"libglib2.0-0": 6,
"libglib2.0-bin": 6,
"libglib2.0-data": 6,
"libglib2.0-dev": 6,
"libglib2.0-dev-bin": 6,
"libgmp-dev": 1,
"libgmp10": 1,
"libgmpxx4ldbl": 1,
"libgnutls-dane0": 7,
"libgnutls-openssl27": 7,
"libgnutls28-dev": 7,
"libgnutls30": 7,
"libgnutlsxx28": 7,
"libgomp1": 2,
"libgssapi-krb5-2": 5,
"libgssrpc4": 5,
"libharfbuzz0b": 1,
"libheif1": 3,
"libhogweed4": 2,
"libicu-dev": 2,
"libicu63": 2,
"libidn2-0": 2,
"libidn2-dev": 2,
"libitm1": 2,
"libjbig-dev": 1,
"libjbig0": 1,
"libjpeg-dev": 8,
"libjpeg62-turbo": 8,
"libjpeg62-turbo-dev": 8,
"libk5crypto3": 5,
"libkadm5clnt-mit11": 5,
"libkadm5srv-mit11": 5,
"libkdb5-9": 5,
"libkrb5-3": 5,
"libkrb5-dev": 5,
"libkrb5support0": 5,
"libldap-2.4-2": 22,
"libldap-common": 22,
"liblsan0": 2,
"liblz4-1": 2,
"liblzma-dev": 1,
"liblzma5": 1,
"libmagic-mgc": 1,
"libmagic1": 1,
"libmagickcore-6-arch-config": 106,
"libmagickcore-6-headers": 106,
"libmagickcore-6.q16-6": 106,
"libmagickcore-6.q16-6-extra": 106,
"libmagickcore-6.q16-dev": 106,
"libmagickcore-dev": 106,
"libmagickwand-6-headers": 106,
"libmagickwand-6.q16-6": 106,
"libmagickwand-6.q16-dev": 106,
"libmagickwand-dev": 106,
"libmariadb-dev": 80,
"libmariadb-dev-compat": 80,
"libmariadb3": 80,
"libmount-dev": 2,
"libmount1": 2,
"libmpx2": 2,
"libncurses-dev": 4,
"libncurses5-dev": 4,
"libncurses6": 4,
"libncursesw5-dev": 4,
"libncursesw6": 4,
"libnettle6": 2,
"libnghttp2-14": 3,
"libopenexr-dev": 40,
"libopenexr23": 40,
"libopenjp2-7": 33,
"libopenjp2-7-dev": 33,
"libp11-kit-dev": 3,
"libp11-kit0": 3,
"libpango-1.0-0": 1,
"libpangocairo-1.0-0": 1,
"libpangoft2-1.0-0": 1,
"libpcre16-3": 6,
"libpcre2-8-0": 3,
"libpcre3": 6,
"libpcre3-dev": 6,
"libpcre32-3": 6,
"libpcrecpp0v5": 6,
"libperl5.28": 5,
"libpng-dev": 4,
"libpng16-16": 4,
"libpq-dev": 17,
"libpq5": 17,
"libpython-stdlib": 1,
"libpython2-stdlib": 1,
"libpython2.7-minimal": 16,
"libpython2.7-stdlib": 16,
"libpython3.7-minimal": 22,
"libpython3.7-stdlib": 22,
"libquadmath0": 2,
"librsvg2-2": 1,
"librsvg2-common": 1,
"librsvg2-dev": 1,
"libsasl2-2": 2,
"libsasl2-modules-db": 2,
"libseccomp2": 1,
"libsepol1": 4,
"libsepol1-dev": 4,
"libsmartcols1": 2,
"libsqlite3-0": 18,
"libsqlite3-dev": 18,
"libss2": 3,
"libssh2-1": 2,
"libssl-dev": 18,
"libssl1.1": 18,
"libstdc++-8-dev": 2,
"libstdc++6": 2,
"libsvn1": 5,
"libsystemd0": 10,
"libtasn1-6": 1,
"libtasn1-6-dev": 1,
"libtcl8.6": 1,
"libtiff-dev": 33,
"libtiff5": 33,
"libtiffxx5": 33,
"libtinfo6": 4,
"libtsan0": 2,
"libubsan1": 2,
"libudev1": 10,
"libunbound8": 17,
"libuuid1": 2,
"libwebp-dev": 12,
"libwebp6": 12,
"libwebpdemux2": 12,
"libwebpmux3": 12,
"libwmf-dev": 4,
"libwmf0.2-7": 4,
"libx11-6": 3,
"libx11-data": 3,
"libx11-dev": 3,
"libxml2": 16,
"libxml2-dev": 16,
"libxslt1-dev": 5,
"libxslt1.1": 5,
"libxtables12": 2,
"libzstd1": 2,
"linux-libc-dev": 594,
"login": 4,
"m4": 2,
"mariadb-common": 80,
"mount": 2,
"ncurses-base": 4,
"ncurses-bin": 4,
"nettle-dev": 2,
"openssh-client": 13,
"openssl": 18,
"passwd": 4,
"patch": 7,
"perl": 5,
"perl-base": 5,
"perl-modules-5.28": 5,
"python": 1,
"python-minimal": 1,
"python2": 1,
"python2-minimal": 1,
"python2.7": 16,
"python2.7-minimal": 16,
"python3.7": 22,
"python3.7-minimal": 22,
"subversion": 5,
"supervisor": 1,
"tar": 3,
"tcl8.6": 1,
"tcl8.6-dev": 1,
"unzip": 4,
"util-linux": 2,
"uuid-dev": 2,
"wget": 1,
"xz-utils": 1,
"zlib1g": 1,
"zlib1g-dev": 1,
"PyJWT": 1,
"httpx": 1,
"ipython": 1,
"pip": 1
}
Hi @sbdchd,
I got a different output using this version.
trivy --version
Version: 0.28.0
Vulnerability DB:
Version: 2
UpdatedAt: 2022-07-05 06:06:05.656161198 +0000 UTC
NextUpdate: 2022-07-05 12:06:05.656160898 +0000 UTC
DownloadedAt: 2022-07-05 09:51:31.985153999 +0000 UTC
$ trivy i cdignam/kodiak:v0.52.0
cdignam/kodiak:v0.52.0 (debian 10.0)
Total: 4082 (UNKNOWN: 57, LOW: 1283, MEDIUM: 1357, HIGH: 1183, CRITICAL: 202)
Could be a first improvement: https://github.com/chdsbd/kodiak/pull/796
