Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(docker): Some versions stayed behind #11785

Open
wants to merge 2 commits into
base: dev
Choose a base branch
from

Conversation

kiblik
Copy link
Contributor

@kiblik kiblik commented Feb 10, 2025

Renovate nor Dependabot are not able to identify the increased "os" part of docker tags. From time to time it needs a little help.

@kiblik kiblik force-pushed the docker_pins branch 2 times, most recently from 72e24e2 to bc2ed3c Compare February 10, 2025 15:42
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Copy link
Contributor

Conflicts have been resolved. A maintainer will review the pull request shortly.

@kiblik kiblik force-pushed the docker_pins branch 2 times, most recently from a96e63a to 279fd66 Compare February 10, 2025 21:36

FROM python:3.11.9-alpine3.20@sha256:f9ce6fe33d9a5499e35c976df16d24ae80f6ef0a28be5433140236c2ca482686 AS base
FROM python:3.11.11-alpine3.20@sha256:6e18772230b36e78251ed179a2a2a2b3cc94726f02e1fddccdcfbe05b17bdc96 AS base
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Originally I wanted to go up to alpine3.21 but it is failing with

 > [nginx collectstatic 2/8] RUN npm install -g yarn --force:
0.280 Error relocating /usr/bin/node: sqlite3session_attach: symbol not found
0.280 Error relocating /usr/bin/node: sqlite3changeset_apply: symbol not found
0.280 Error relocating /usr/bin/node: sqlite3session_create: symbol not found
0.280 Error relocating /usr/bin/node: sqlite3session_changeset: symbol not found
0.281 Error relocating /usr/bin/node: sqlite3session_patchset: symbol not found
0.281 Error relocating /usr/bin/node: sqlite3session_delete: symbol not found

It probably needs some additional customization. I will solve it in a separated PR.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

During my arm64 testing I also noticed some issues on pythong 3.12.x / alpine 3.21. And on arm64 I also see issues with sqlite.

@kiblik kiblik marked this pull request as ready for review February 10, 2025 21:39
Copy link

dryrunsecurity bot commented Feb 10, 2025

DryRun Security Summary

The PR introduces various security vulnerabilities including hardcoded credentials, empty authentication variables, supply chain risks, network exposure concerns, and sensitive environment configurations while updating Python and service base images across multiple Dockerfiles.

Expand for full summary

The PR updates Python and service base images across multiple Dockerfiles, including changes to Django, Nginx, and integration test configurations, with version bumps to Python 3.11.11 and Alpine/Debian variants.

Security Vulnerabilities:

  1. Hardcoded/Default Credentials (docker-compose.yml):
  • POSTGRES_USER/PASSWORD set to 'defectdojo'
  • DD_SECRET_KEY uses predictable default value
  • DD_ALLOWED_HOSTS set to "*"
  1. Empty Authentication Variables:
  • METRICS_HTTP_AUTH_USER=""
  • METRICS_HTTP_AUTH_PASSWORD=""
  • DD_ADMIN_PASSWORD set to empty string
  1. Potential Supply Chain Risks:
  • Hardcoded download URLs for Chrome/ChromeDriver
  • External package sources for Node.js and Yarn installation
  1. Network Exposure Risks:
  • Ports exposed on 0.0.0.0 and 8080
  • HTTP localhost usage instead of HTTPS
  • Wide network accessibility configurations
  1. Sensitive Environment Configurations:
  • Default admin credentials ([email protected])
  • Predictable user IDs and group permissions

Code Analysis

We ran 9 analyzers against 6 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

@valentijnscholten
Copy link
Member

Apart from my comment it look good, nice to see index digest are used.

@kiblik kiblik closed this Feb 11, 2025
@kiblik kiblik reopened this Feb 11, 2025
Copy link
Contributor

This pull request has conflicts, please resolve those before we can evaluate the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants