bug: ENV variable SE_VNC_PASSWORD contains sensitive data

Signed-off-by: Viet Nguyen Duc <nguyenducviet4496@gmail.com>
SeleniumHQ · Dec 13, 2023 · 00a15ea · 00a15ea
1 parent 8ec470e
commit 00a15ea
Showing 6 changed files with 71 additions and 16 deletions.
diff --git a/.github/workflows/scan-dockerfile.yml b/.github/workflows/scan-dockerfile.yml
@@ -0,0 +1,53 @@
+name: Scan Dockerfile vulnerabilities
+
+on:
+  push:
+    paths:
+      - '**/Dockerfile'
+  pull_request:
+    paths:
+      - '**/Dockerfile'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+  build-and-scan:
+    name: Scan Dockerfile vulnerabilities
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set severity for PRs
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          echo "SEVERITY=HIGH,CRITICAL" >> $GITHUB_ENV
+          echo "EXIT_CODE=1" >> $GITHUB_ENV
+      - name: Set severity for others
+        if: github.event_name != 'pull_request' && github.event_name != 'push'
+        run: |
+          echo "SEVERITY=LOW,MEDIUM,HIGH,CRITICAL" >> $GITHUB_ENV
+          echo "EXIT_CODE=0" >> $GITHUB_ENV
+      - name: Scan source code
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'source-results.sarif'
+          scanners: 'vuln,secret,misconfig'
+          skip-dirs: 'tests,Video'
+          exit-code: '${{ env.EXIT_CODE }}'
+          severity: '${{ env.SEVERITY }}'
+          limit-severities-for-sarif: true
+      - name: Upload source scan results to annotations
+        if: always()
+        uses: Ayrx/sarif_to_github_annotations@master
+        with:
+          sarif_file: 'source-results.sarif'
+      - name: Upload source scan results to GitHub Security tab
+        if: github.event_name != 'pull_request'
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'source-results.sarif'
+          category: source-results
diff --git a/Base/Dockerfile b/Base/Dockerfile
@@ -4,8 +4,9 @@ LABEL authors="Selenium <selenium-developers@googlegroups.com>"
 # Arguments to define the version of dependencies to download
 ARG VERSION
 ARG RELEASE=selenium-${VERSION}
-ARG OPENTELEMETRY_VERSION=1.31.0
-ARG GRPC_VERSION=1.60.0
+# Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl)
+ARG OPENTELEMETRY_VERSION=1.28.0
+ARG GRPC_VERSION=1.57.1
 
 #Arguments to define the user running Selenium
 ARG SEL_USER=seluser
@@ -115,7 +116,8 @@ COPY supervisord.conf /etc
 #==========
 RUN touch ${SEL_DIR}/config.toml \
   && wget --no-verbose https://github.com/SeleniumHQ/selenium/releases/download/${RELEASE}/selenium-server-${VERSION}.jar \
-    -O ${SEL_DIR}/selenium-server.jar
+    -O ${SEL_DIR}/selenium-server.jar \
+  && echo "${SEL_PASSWD}" > ${SEL_DIR}/initialPasswd
 
 #=====
 # Download observability related jaegar jars and make them available in a separate directory

diff --git a/NodeBase/Dockerfile b/NodeBase/Dockerfile
@@ -4,13 +4,16 @@ ARG AUTHORS
 FROM ${NAMESPACE}/base:${VERSION}
 LABEL authors=${AUTHORS}
 
+ARG NOVNC_VERSION="1.4.0"
+ARG WEBSOCKIFY_VERSION="0.11.0"
+
 USER root
 
 #==============
 # Xvfb
 #==============
 RUN apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
     xvfb \
     pulseaudio \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
@@ -40,7 +43,7 @@ RUN apt-get -qqy update \
 # VNC
 #=====
 RUN apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
   x11vnc \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
@@ -49,7 +52,7 @@ RUN apt-get update -qqy \
 # A fast, lightweight and responsive window manager
 #=========
 RUN apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
     fluxbox \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
@@ -92,8 +95,6 @@ RUN apt-get -qqy update \
 ########################################
 # noVNC exposes VNC through a web page #
 ########################################
-ENV NOVNC_VERSION="1.4.0" \
-    WEBSOCKIFY_VERSION="0.11.0"
 RUN  wget -nv -O noVNC.zip \
        "https://github.com/novnc/noVNC/archive/refs/tags/v${NOVNC_VERSION}.zip" \
   && unzip -x noVNC.zip \
@@ -104,8 +105,8 @@ RUN  wget -nv -O noVNC.zip \
       "https://github.com/novnc/websockify/archive/refs/tags/v${WEBSOCKIFY_VERSION}.zip" \
   && unzip -x websockify.zip \
   && rm websockify.zip \
-  && rm -rf websockify-${WEBSOCKIFY_VERSION}/tests \
-  && mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify
+  && mv websockify-${WEBSOCKIFY_VERSION} /opt/bin/noVNC/utils/websockify \
+  && rm -rf /opt/bin/noVNC/utils/websockify/docker /opt/bin/noVNC/utils/websockify/tests
 
 #=========================================================================================================================================
 # Run this command for executable file permissions for /dev/shm when this is a "child" container running in Docker Desktop and WSL2 distro
@@ -117,13 +118,12 @@ RUN mkdir -p /tmp/.X11-unix && \
     fix-permissions /tmp/.X11-unix
 
 #==============================
-# Generating the VNC password based on the ${SE_VNC_PASSWORD}
+# Generating the VNC password using initial password in Base image
 # Changing ownership to ${SEL_USER}, so the service can be started
 #==============================
 
-ENV SE_VNC_PASSWORD=secret
 RUN mkdir -p ${HOME}/.vnc \
-    && x11vnc -storepasswd ${SE_VNC_PASSWORD} ${HOME}/.vnc/passwd \
+    && x11vnc -storepasswd $(cat ${SEL_DIR}/initialPasswd) ${HOME}/.vnc/passwd \
     && chown -R "${SEL_UID}:${SEL_GID}" ${HOME}/.vnc \
     && fix-permissions ${HOME}/.vnc
 

diff --git a/NodeChrome/Dockerfile b/NodeChrome/Dockerfile
@@ -18,7 +18,7 @@ ARG CHROME_VERSION="google-chrome-stable"
 RUN wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | gpg --dearmor | tee /etc/apt/trusted.gpg.d/google.gpg >/dev/null \
   && echo "deb http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google-chrome.list \
   && apt-get update -qqy \
-  && apt-get -qqy install \
+  && apt-get -qqy --no-install-recommends install \
     ${CHROME_VERSION:-google-chrome-stable} \
   && rm /etc/apt/sources.list.d/google-chrome.list \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

diff --git a/NodeDocker/Dockerfile b/NodeDocker/Dockerfile
@@ -10,7 +10,7 @@ USER root
 # Socat to proxy docker.sock when mounted
 #==============
 RUN apt-get update -qqy \
-  && apt-get -qqy install socat \
+  && apt-get -qqy --no-install-recommends install socat \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*
 
 USER ${SEL_UID}

diff --git a/NodeEdge/Dockerfile b/NodeEdge/Dockerfile
@@ -16,7 +16,7 @@ ARG EDGE_VERSION="microsoft-edge-stable"
 RUN wget -q -O - https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor | tee /etc/apt/trusted.gpg.d/microsoft.gpg >/dev/null \
   && echo "deb https://packages.microsoft.com/repos/edge stable main" >> /etc/apt/sources.list.d/microsoft-edge.list \
   && apt-get update -qqy \
-  && apt-get -qqy install ${EDGE_VERSION} \
+  && apt-get -qqy --no-install-recommends install ${EDGE_VERSION} \
   && rm /etc/apt/sources.list.d/microsoft-edge.list \
   && rm -rf /var/lib/apt/lists/* /var/cache/apt/*