modsecurity-crs-docker
modsecurity-crs-docker copied to clipboard
coreruleset
Consider adding docker security scanner?
We may want to add an action for docker security scanning:
https://github.com/phonito/phonito-scanner-action
I tried this in my fork and it works. We have vulnerabilities in our images though:
modsecurity-crs-docker https://github.com/franbuehler/modsecurity-crs-docker/runs/1047826260?check_suite_focus=true:
Scan with Phonito Security
15s
##[error]Docker image contains vulnerabilities
Found vulnerabilities as of: Sun Aug 30 2020 14:26:14 GMT+0000 (Coordinated Universal Time)
┌──────────────────┬─────────┬──────────┬───────────────────┐
│ CVE ID │ Product │ Severity │ Installed Version │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1387 │ git │ HIGH │ 1:2.20.1 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1348 │ git │ LOW │ 1:2.20.1 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1353 │ git │ CRITICAL │ 1:2.20.1 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2020-5260 │ git │ HIGH │ 1:2.20.1 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1551 │ openssl │ MEDIUM │ 1.1.1d │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-1000156 │ patch │ HIGH │ 2.7.6 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-20969 │ patch │ HIGH │ 2.7.6 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-6951 │ patch │ HIGH │ 2.7.6 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-6952 │ patch │ HIGH │ 2.7.6 │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-20633 │ patch │ MEDIUM │ 2.7.6 │
└──────────────────┴─────────┴──────────┴───────────────────┘
10 vulnerabilities present owasp/modsecurity-crs:3.3-apache.
View scan details: https://phonito.io/vulnerabilities/b3dhc3AvbW9kc2VjdXJpdHktY3JzOjMuMy1hcGFjaGU=
##[error]Docker image contains vulnerabilities
I think a rebuild and push of the underlying owasp/modsecurity-docker image would already help, we have fewer vulnerabilities there:
modsecurity-docker https://github.com/franbuehler/modsecurity-docker/runs/1047876721?check_suite_focus=true
Scan with Phonito Security
14s
[PHONITO] Succesfully scanned image.
Run phonito/phonito-scanner-action@master
wget https://phonito-public-artifacts.azureedge.net/scanner/phonito-scanner -O /tmp/phonito-scanner --quiet
chmod +x /tmp/phonito-scanner
/tmp/phonito-scanner -i owasp/modsecurity:v2-apache --fail-level HIGH
Phonito Security scan complete!
Found vulnerabilities as of: Sun Aug 30 2020 14:58:57 GMT+0000 (Coordinated Universal Time)
┌───────────────┬─────────┬──────────┬───────────────────┐
│ CVE ID │ Product │ Severity │ Installed Version │
├───────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1551 │ openssl │ MEDIUM │ 1.1.1d │
└───────────────┴─────────┴──────────┴───────────────────┘
1 vulnerabilities present owasp/modsecurity:v2-apache.
View scan details: https://phonito.io/vulnerabilities/b3dhc3AvbW9kc2VjdXJpdHk6djItYXBhY2hl
[PHONITO] Succesfully scanned image.
Questions: Do we want to add a schedule to the "build and push" workflows:
- https://github.com/coreruleset/modsecurity-docker/blob/master/.github/workflows/dockerimage.yml (modsecurity-docker)
- https://github.com/coreruleset/modsecurity-crs-docker/blob/master/.github/workflows/buildimage.yml (modsecurity-crs-docker) Like once a week so that we always have new images with no vulnerabilites?
And do we want to extend the build and push with this security scan?
Adding a scheduled scan makes certainly sense. We should then only trigger rebuilding the image when necessary, e.g. when vulnerabilities were found.
This looks cool @franbuehler ! I think @bittner has a point in just creating a new one only when something is found. Do you need additional help with setting it up?
Whatever you can do that brings us forward is super-welcome!
We, at @vshn, would still need to invest time to verify the 4 main images (owasp/modsecurity:apache, owasp/modsecurity-crs:apache, and owasp/modsecurity:nginx, owasp/modsecurity-crs:nginx) in Production. We still maintain derivatives of our own image based on CRS 3.1, which is somewhat the "mother" of the changes we applied to the current images. I see some work ahead to align the last bits we might have overlooked when taking over our current features.
Thank you @fzipi and @bittner Ok, I'll try to implement this (when I find some time).
And yes, then we should investigate which changes are still missing in our official images and what else needs to be done.
Relates to coreruleset/modsecurity-docker#43.
I also just ran a trivy scan against owasp/modsecurity-crs:v3.3.2-nginx and it returned:
owasp/modsecurity-crs:v3.3.2-nginx (debian 10.10)
=================================================
Total: 323 (UNKNOWN: 0, LOW: 215, MEDIUM: 45, HIGH: 55, CRITICAL: 8)
Now that modsecurity-docker has moved to Alpine it would be nice to see modsecurity-crs-docker also move from Debian to Alpine.
NGINX maintain both Debian and Alpine images, so hopefully this is not a large increase in maintenance burden as we can still rely on default upstream images.
@MitchellCash Can you run it again now that we have alpine images? We still need to run this in a pipeline.
@fzipi Alpine based image looks good to me on the initial trivy scan (also the image is almost half the size)! Nice work!
Debian based image
owasp/modsecurity-crs:3.3.2-nginx (debian 11.1)
===============================================
Total: 232 (UNKNOWN: 0, LOW: 156, MEDIUM: 43, HIGH: 24, CRITICAL: 9)
Alpine based image 🥳
owasp/modsecurity-crs:3.3.2-nginx-alpine (alpine 3.14.3)
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Good, this matches my own tests. I don't think we can do too much in the debian image (I've checked a couple criticals, and they are still there :/ ).