pact_broker icon indicating copy to clipboard operation
pact_broker copied to clipboard

Published 20 hours ago verified publisher icon pact-foundation

Several security vulnerabilities in pactfoundation/pact-broker docker himage

Open matthelliwell2 opened this issue 2 years ago • 4 comments

Pre issue-raising checklist

I have already (please mark the applicable with an x):

  • [x] Upgraded to the latest Pact Broker OR
  • [ ] Checked the CHANGELOG to see if the issue I am about to raise has been fixed
  • [ ] Created an executable example that demonstrates the issue using either a:
    • Dockerfile
    • Git repository with a Travis or Appveyor (or similar) build

Software versions

pactfoundation/pact-broker:2.98.0.0

Expected behaviour

No security vulnerabilities reported by scanners

Actual behaviour

We are using Orca (https://orca.security/) to scan images and it is reporting the following vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2022-29824. The image has libxml2.so.2.9.13, issue was fixed in 2.9.14

5 different issues in nokogiri https://nvd.nist.gov/vuln/detail/CVE-2022-24839 https://nvd.nist.gov/vuln/detail/CVE-2022-24836 https://nvd.nist.gov/vuln/detail/CVE-2021-41098 https://nvd.nist.gov/vuln/detail/CVE-2021-30560 https://nvd.nist.gov/vuln/detail/CVE-2018-25032

The latest version of this gem has some security fixes that might resolve some or all of these.

https://nvd.nist.gov/vuln/detail/CVE-2022-24790. The image has puma-5.6.2 and the issue was fixed in 5.6.4

Steps to reproduce

Relevant log files

n/a

matthelliwell2 avatar May 12 '22 13:05 matthelliwell2

I haven't had time to go through all of those vulnerabilities individually, however, I have done a bundle update and put out a new docker image with tag 2.98.0.1, so please re-scan and let me know how you go.

bethesque avatar May 13 '22 03:05 bethesque

Thanks for coming back so quickly. We've re-scanned and that got rid of the puma and libxml issues. We've still got the 5 nokigiri issues.

matthelliwell2 avatar May 13 '22 08:05 matthelliwell2

The latest version of nokogiri is already being used in the docker image, so I don't think there's anything we can do to make those go away.

bethesque avatar May 16 '22 23:05 bethesque

This is similar to issue #553 which is already resolved with version 2.100.0.0. That issue can be closed.

deporcali avatar May 20 '22 16:05 deporcali

This is probably so out of date as to be irrelevant now. Closing, but feel free to re-open.

bethesque avatar Sep 20 '22 05:09 bethesque