Skip to content

Commit

Permalink
Merge pull request #1 from jtgorny/initial
Browse files Browse the repository at this point in the history 
Container Image Scanning Initial Commit
  • Loading branch information
@jtgorny
jtgorny authored Jun 10, 2024
2 parents c2f4d03 + 372950b commit 112757d
Show file tree
Hide file tree
Showing 7 changed files with 170 additions and 1 deletion.
51 changes: 51 additions & 0 deletions .github/workflows/github-actions.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Build Docker image

on:
push:
branches:
- '**' # This matches all branches

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2

# IF YOU WANT TO PUSH TO DOCKER HUB
# - name: Log in to Docker Hub
# uses: docker/login-action@v2
# with:
# username: ${{ secrets.DOCKER_USERNAME }}
# password: ${{ secrets.DOCKER_PASSWORD }}

- name: Build Docker image
uses: docker/build-push-action@v4
with:
context: .
push: false # Do not push the image
load: true # Load the image into Docker
tags: cve-image:latest

# DEBUGGING
# - name: List Docker images
# run: docker images
#
# - name: Check Docker daemon status
# run: sudo systemctl status docker

- name: Install Trivy
run: |
sudo apt-get update
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
- name: Scan Docker image with Trivy
run: trivy image cve-image:latest # Specify `--exit-code 1` if you want actions to fail if CVE's are detected
5 changes: 5 additions & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
## Directory-based project format:
.idea/

# Temp Directories and Files
Scratchpad.txt
8 changes: 8 additions & 0 deletions .idea/.gitignore
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

10 changes: 10 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Use Debian as base image
FROM debian:latest

# Update package lists and install vulnerable package
#RUN apt-get update && \
# apt-get install -y libssl-dev=3.0.11-1~deb12u2

# Set entry point to a simple script
COPY entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
94 changes: 93 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
@@ -1 +1,93 @@
# cve-scanning
# Container Image CVE Scanning
The purpose of this project is to demonstrate CVE Scanning tooling in action and how it can be benefial to
organizations.

## Steps:
1. Build a dockerfile and container image using docker.
2. Leverage an open-source CVE scanning tool to determine if there are any exploitable vulnerabilities
in our container image.
3. Fix injected, identified CVE's (libssl-dev).
4. Re-scan to visualize the correction and security improvement.
5. BONUS: Build a simple pipeline with GitHub Actions

### Tooling & Binaries
* [Trivy](https://github.com/aquasecurity/trivy): Trivy is the chosen open-source CVE scanning tool for this
demonstration, an Aqua Security project. Trivy is defined as a simple and comprehensive vulnerability scanner for
containers. It supports scanning images stored in various container registries, including Docker Hub and private
registries. Trivy is easy to use and integrates well with CI/CD pipelines.
* Docker
* Git

#### Versions
```
trivy --version && \
docker --version && \
git --version
Version: 0.52.0
Docker version 20.10.12, build e91ed57
git version 2.39.2
```

#### Building
1. Build docker image
```
docker build -t cve-image:demo .
```
2. Scan the image for CVEs (find the CVE specific to the library we installed)
```
trivy image cve-image:demo
cve-image:demo (debian 12.5)
Total: 92 (UNKNOWN: 0, LOW: 59, MEDIUM: 27, HIGH: 5, CRITICAL: 1)
├────────────────────┼─────────────────────┼──────────┼──────────────┼───────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
| libssl-dev │ CVE-2023-5678 │ MEDIUM │ │ 3.0.11-1~deb12u2 │ │ openssl: Generating excessively long X9.42 DH keys or │
│ │ │ │ │ │ │ checking excessively long X9.42... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-5678 │
│ ├─────────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-6129 │ │ │ │ │ mysql: openssl: POLY1305 MAC implementation corrupts vector │
│ │ │ │ │ │ │ registers on PowerPC │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6129 │
│ ├─────────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2023-6237 │ │ │ │ │ openssl: Excessive time spent checking invalid RSA public │
│ │ │ │ │ │ │ keys │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-6237 │
│ ├─────────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-0727 │ │ │ │ │ openssl: denial of service via null dereference │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-0727 │
│ ├─────────────────────┤ ├──────────────┤ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-4603 │ │ fix_deferred │ │ │ openssl: Excessive time spent checking DSA keys and │
│ │ │ │ │ │ │ parameters │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4603 │
│ ├─────────────────────┤ │ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-4741 │ │ │ │ │ openssl: Use After Free with SSL_free_buffers │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-4741 │
│ ├─────────────────────┼──────────┤ │ ├───────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-2511 │ LOW │ │ │ │ openssl: Unbounded memory growth with session handling in │
│ │ │ │ │ │ │ TLSv1.3 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-2511 |
├────────────────────┼─────────────────────┼──────────┼──────────────┼───────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
```
3. Remove `libssl-dev`, the library we installed onto our docker image with known CVEs.
4. Build the fixed docker image
```
docker build -t cve-image-fixed:demo .
```
5. Scan the new image for CVEs
```
trivy image cve-image-fixed:demo
cve-image-fixed:demo (debian 12.5)
Total: 78 (UNKNOWN: 0, LOW: 57, MEDIUM: 15, HIGH: 5, CRITICAL: 1)
```
NOTE: Considerably less identified CVEs in this new image.

#### GitHub Actions
1. mkdir for `.github/workflows`
2. touch file for `github-actions.yaml`
3. Create your actions
4. Push to repository

![GitHub Actions Image](assets/actions.png)
Binary file added assets/actions.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
3 changes: 3 additions & 0 deletions entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/sh

echo "Hello world!"

0 comments on commit 112757d

Please sign in to comment.