Dependency updates and code scanning

Hi,
I recently tried out the restic rest-server (GitHub - restic/rest-server: Rest Server is a high performance HTTP server that implements restic's REST backend API.) and it worked quite well, thanks for providing that piece of software

I saw that there is a docker image and used that. Usually, I have a small container image scanner (trivy) locally which I use to check if images are outdated before I deploy them GitHub - aquasecurity/trivy: Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues and hard-coded secrets.

It can be freely used and also has a GitHub Action which could be incorporated into the build/release process.

Currently, it finds those issues:

$ trivy image restic/rest-server:latest
2022-09-27T10:14:11.949+0200	INFO	Need to update DB
2022-09-27T10:14:11.949+0200	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-09-27T10:14:11.949+0200	INFO	Downloading DB...
34.22 MiB / 34.22 MiB [----------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 13.63 MiB p/s 2.7s
2022-09-27T10:14:15.521+0200	INFO	Vulnerability scanning is enabled
2022-09-27T10:14:15.521+0200	INFO	Secret scanning is enabled
2022-09-27T10:14:15.521+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-27T10:14:15.521+0200	INFO	Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-09-27T10:14:15.540+0200	INFO	Detected OS: alpine
2022-09-27T10:14:15.540+0200	INFO	Detecting Alpine vulnerabilities...
2022-09-27T10:14:15.543+0200	INFO	Number of language-specific files: 1
2022-09-27T10:14:15.543+0200	INFO	Detecting gobinary vulnerabilities...
2022-09-27T10:14:15.545+0200	WARN	Error while getting vulnerability details: failed to get the vulnerability "CVE-2021-35940.patch": no vulnerability details for CVE-2021-35940.patch

restic/rest-server:latest (alpine 3.15.0)

Total: 29 (UNKNOWN: 1, LOW: 0, MEDIUM: 6, HIGH: 12, CRITICAL: 10)

┌───────────────┬──────────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│    Library    │    Vulnerability     │ Severity │ Installed Version │ Fixed Version │                            Title                             │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apache2-utils │ CVE-2022-22720       │ CRITICAL │ 2.4.52-r0         │ 2.4.53-r0     │ httpd: Errors encountered during the discarding of request   │
│               │                      │          │                   │               │ body lead to HTTP...                                         │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-22720                   │
│               ├──────────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-22721       │          │                   │               │ httpd: core: Possible buffer overflow with very large or     │
│               │                      │          │                   │               │ unlimited LimitXMLRequestBody                                │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-22721                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apache2-utils │ CVE-2022-23943       │ CRITICAL │ 2.4.52-r0         │ 2.4.53-r0     │ httpd: mod_sed: Read/write beyond bounds                     │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-23943                   │
│               ├──────────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-28615       │          │                   │ 2.4.54-r0     │ httpd: out-of-bounds read in ap_strcmp_match()               │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28615                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apache2-utils │ CVE-2022-31813       │ CRITICAL │ 2.4.52-r0         │ 2.4.54-r0     │ httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop      │
│               │                      │          │                   │               │ mechanism                                                    │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-31813                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apache2-utils │ CVE-2022-22719       │ HIGH     │ 2.4.52-r0         │ 2.4.53-r0     │ httpd: mod_lua: Use of uninitialized value of in r:parsebody │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-22719                   │
│               ├──────────────────────┤          │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-26377       │          │                   │ 2.4.54-r0     │ httpd: mod_proxy_ajp: Possible request smuggling             │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-26377                   │
│               ├──────────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-29404       │          │                   │               │ httpd: mod_lua: DoS in r:parsebody                           │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-29404                   │
│               ├──────────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-30522       │          │                   │               │ httpd: mod_sed: DoS vulnerability                            │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30522                   │
│               ├──────────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-30556       │          │                   │               │ httpd: mod_lua: Information disclosure with websockets       │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-30556                   │
│               ├──────────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-28330       │ MEDIUM   │                   │               │ httpd: mod_isapi: out-of-bounds read                         │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28330                   │
│               ├──────────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-28614       │          │                   │               │ httpd: out-of-bounds read via ap_rwrite()                    │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28614                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ apr           │ CVE-2021-35940.patch │ UNKNOWN  │ 1.7.0-r0          │ 1.7.0-r1      │                                                              │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2022-28391       │ HIGH     │ 1.34.1-r3         │ 1.34.1-r5     │ busybox: remote attackers may execute arbitrary code if      │
│               │                      │          │                   │               │ netstat is used                                              │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28391                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ expat         │ CVE-2022-25235       │ CRITICAL │ 2.4.4-r0          │ 2.4.5-r0      │ expat: Malformed 2- and 3-byte UTF-8 sequences can lead to   │
│               │                      │          │                   │               │ arbitrary code...                                            │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25235                   │
│               ├──────────────────────┤          │                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-25236       │          │                   │               │ expat: Namespace-separator characters in "xmlns[:prefix]"    │
│               │                      │          │                   │               │ attribute values can lead to arbitrary code...               │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25236                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ expat         │ CVE-2022-25315       │ CRITICAL │ 2.4.4-r0          │ 2.4.5-r0      │ expat: Integer overflow in storeRawNames()                   │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25315                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ expat         │ CVE-2022-40674       │ CRITICAL │ 2.4.4-r0          │ 2.4.9-r0      │ libexpat before 2.4.9 has a use-after-free in the doContent  │
│               │                      │          │                   │               │ function i ......                                            │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-40674                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ expat         │ CVE-2022-25314       │ HIGH     │ 2.4.4-r0          │ 2.4.5-r0      │ expat: integer overflow in copyString()                      │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25314                   │
│               ├──────────────────────┼──────────┤                   │               ├──────────────────────────────────────────────────────────────┤
│               │ CVE-2022-25313       │ MEDIUM   │                   │               │ expat: stack exhaustion in doctype parsing                   │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-25313                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto1.1  │ CVE-2022-0778        │ HIGH     │ 1.1.1l-r7         │ 1.1.1n-r0     │ openssl: Infinite loop in BN_mod_sqrt() reachable when       │
│               │                      │          │                   │               │ parsing certificates                                         │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0778                    │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libcrypto1.1  │ CVE-2022-2097        │ MEDIUM   │ 1.1.1l-r7         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                 │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                    │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libretls      │ CVE-2022-0778        │ HIGH     │ 3.3.4-r2          │ 3.3.4-r3      │ openssl: Infinite loop in BN_mod_sqrt() reachable when       │
│               │                      │          │                   │               │ parsing certificates                                         │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0778                    │
├───────────────┤                      │          ├───────────────────┼───────────────┤                                                              │
│ libssl1.1     │                      │          │ 1.1.1l-r7         │ 1.1.1n-r0     │                                                              │
│               │                      │          │                   │               │                                                              │
│               │                      │          │                   │               │                                                              │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libssl1.1     │ CVE-2022-2097        │ MEDIUM   │ 1.1.1l-r7         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                 │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                    │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ libuuid       │ CVE-2022-0563        │ MEDIUM   │ 2.37.3-r0         │ 2.37.4-r0     │ util-linux: partial disclosure of arbitrary files in chfn    │
│               │                      │          │                   │               │ and chsh when compiled...                                    │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0563                    │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2022-28391       │ HIGH     │ 1.34.1-r3         │ 1.34.1-r5     │ busybox: remote attackers may execute arbitrary code if      │
│               │                      │          │                   │               │ netstat is used                                              │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-28391                   │
├───────────────┼──────────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ zlib          │ CVE-2022-37434       │ CRITICAL │ 1.2.11-r3         │ 1.2.12-r2     │ zlib: a heap-based buffer over-read or buffer overflow in    │
│               │                      │          │                   │               │ inflate in inflate.c...                                      │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                   │
│               ├──────────────────────┼──────────┤                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│               │ CVE-2018-25032       │ HIGH     │                   │ 1.2.12-r0     │ zlib: A flaw found in zlib when compressing (not             │
│               │                      │          │                   │               │ decompressing) certain inputs...                             │
│               │                      │          │                   │               │ https://avd.aquasec.com/nvd/cve-2018-25032                   │
└───────────────┴──────────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

usr/bin/rest-server (gobinary)

Total: 3 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬────────────────────────────────────────────────────────────┐
│       Library       │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                           Title                            │
├─────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2022-27191      │ HIGH     │ v0.0.0-20220208050332-20e1d8d225ab │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server          │
│                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                 │
├─────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ GHSA-8c26-wmh5-6g9v │ UNKNOWN  │ v0.0.0-20220208050332-20e1d8d225ab │ 0.0.0-20220314234659-1baeb1ce4c0b │ Attackers can cause a crash in SSH servers when the server │
│                     │                     │          │                                    │                                   │ has...                                                     │
│                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-8c26-wmh5-6g9v          │
├─────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/sys    │ CVE-2022-29526      │ MEDIUM   │ v0.0.0-20220114195835-da31bd327af9 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group              │
│                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                 │
└─────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴────────────────────────────────────────────────────────────┘

Most of the issues can simply be solved by rebuilding the container image:

$ trivy image restic/rest-server:konrad
2022-09-27T10:15:47.989+0200	INFO	Vulnerability scanning is enabled
2022-09-27T10:15:47.989+0200	INFO	Secret scanning is enabled
2022-09-27T10:15:47.990+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-27T10:15:47.990+0200	INFO	Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-09-27T10:15:48.009+0200	INFO	Detected OS: alpine
2022-09-27T10:15:48.009+0200	INFO	Detecting Alpine vulnerabilities...
2022-09-27T10:15:48.010+0200	INFO	Number of language-specific files: 1
2022-09-27T10:15:48.010+0200	INFO	Detecting gobinary vulnerabilities...

restic/rest-server:konrad (alpine 3.16.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/rest-server (gobinary)

Total: 3 (UNKNOWN: 1, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬────────────────────────────────────────────────────────────┐
│       Library       │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                           Title                            │
├─────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2022-27191      │ HIGH     │ v0.0.0-20220208050332-20e1d8d225ab │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server          │
│                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                 │
├─────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ GHSA-8c26-wmh5-6g9v │ UNKNOWN  │ v0.0.0-20220208050332-20e1d8d225ab │ 0.0.0-20220314234659-1baeb1ce4c0b │ Attackers can cause a crash in SSH servers when the server │
│                     │                     │          │                                    │                                   │ has...                                                     │
│                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-8c26-wmh5-6g9v          │
├─────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ golang.org/x/sys    │ CVE-2022-29526      │ MEDIUM   │ v0.0.0-20220114195835-da31bd327af9 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group              │
│                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                 │
└─────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴────────────────────────────────────────────────────────────┘

I am wondering, if you would be interested in automatic rebuilds of the image.
I could imagine something like a trivy scan workflow which runs daily and checks for security findings. If found, it could try to build the image again and scan if that resolves anything. If that is the case, a push to dockerhub could be performed.

If we would add e.g. Renovate Mend (GitHub - renovatebot/renovate: Universal dependency update tool that fits into your workflows., also available as GitHub App), we could pin docker image digests to automatically get PRs, if e.g. Alpine changes or golang module updates. New PRs could run tests again before they get merged.
A merge to master could publish an updated container image to GitHub.
Dependabot could also be used, but Renovate is OpenSource and I think more flexible when it comes to rules. I am also more familar with Renovate, but have no hard feelings against Dependabot either.

What are your thoughts on this? I guess restic itself could also leverage renovate, but I think for server components it might me more critical for now.

Restic itself is also more up-to-date currently:

$ trivy image restic/restic
2022-09-27T10:22:19.908+0200	INFO	Vulnerability scanning is enabled
2022-09-27T10:22:19.908+0200	INFO	Secret scanning is enabled
2022-09-27T10:22:19.908+0200	INFO	If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-09-27T10:22:19.908+0200	INFO	Please see also https://aquasecurity.github.io/trivy/0.30.4/docs/secret/scanning/#recommendation for faster secret detection
2022-09-27T10:22:21.324+0200	INFO	Detected OS: alpine
2022-09-27T10:22:21.324+0200	INFO	Detecting Alpine vulnerabilities...
2022-09-27T10:22:21.340+0200	INFO	Number of language-specific files: 1
2022-09-27T10:22:21.341+0200	INFO	Detecting gobinary vulnerabilities...

restic/restic (alpine 3.16.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


usr/bin/restic (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                            │
├──────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-27664 │ HIGH     │ v0.0.0-20220822230855-b0a4917ee28c │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│                  │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                  │
└──────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘

Thanks
Konrad

Hmm, good question. Most of the CVEs in the reports appear to just be noisy without any meaningful influence on what actually runs in the containers. e.g. the apache2-utils are just there to update the htaccess file and are only accessible by an admin. Something similar seems to apply to the CVEs in libraries used by rest-server. That said, it still nicer to just have images without CVEs.

Regarding vulnerabilities in Go libraries, govulncheck seems to be more promising, as it only reports CVEs affecting library parts that are actually used.

To automatically rebuild containers we’d first need to rework how containers are built and uploaded. And that will likely take some time until we get there. But I’ll keep it in mind.

Ok thanks, please let me know, if I can help out somewhere. The general problem with container images is that they tend to be flagged as outdated by scanners quite fast as all tools except the kernel are shipped with them. If you only ship the go binary, updates are basically applied by yum/apt or whatever package manager is used which simplifies maintenance on your end. I guess for “production style” deployments installing natively is preferred to have recent libs/tools deployed.

It is kind of an annoying problem of most docker builds (not rest-server or restic in particular) that builds are not reproducible. Running the build now might produce a different image than running it tomorrow. If different machines have different cached images, it even gets worse.

Pinning image digests fixes the problem on the image level, but package managers will still install whatever package was recent at that time in the repositories. You could pin the package as well, but it’s dependencies will be floating again.
As you are using go, you could just put only the binary in the image, but that would not include the apache tools… Implementing the htaccess part in Golang as well is probably also not ideal.
The most pragmatic approach is probably just frequent rebuilds, but that would also cause the requirement of redeployment for users.

Maybe it’s good enough to do monthly rebuilds as a tradeoff between having recent tools and user’s convenience.
The last rebuild was done on the 10th of February, to keep things simple from versioning point of view I would propose to add timestamps to image tags in addition to the tags you already have.

Like 0.11.0 would always point to the latest 0.11.0 release, but every rebuild also produces a timestamped tag, like 0.11.0-202202101919 for the last build.