Skip to content
This repository has been archived by the owner on May 14, 2020. It is now read-only.

Configure autobuilds on Docker Hub (critical!) #1420

Closed
bittner opened this issue May 21, 2019 · 16 comments
Closed

Configure autobuilds on Docker Hub (critical!) #1420

bittner opened this issue May 21, 2019 · 16 comments

Comments

@bittner
Copy link
Contributor

bittner commented May 21, 2019

Type of Issue

Security issue

Description

The Docker image owasp/modsecurity-crs provided by this repository inherits from owasp/modsecurity:2.9-apache-ubuntu, however autobuilds seem not configured on Docker Hub.

This results in the CRS image being much older ("Updated 6 months ago") than the owasp/modsecurity image ("Updated 23 days ago"). Subsequently, the Clair image scanner on Quay.io complains about a security issue of the older image that the younger doesn't have.

Required Action

Can we please configure autobuilds on Docker Hub that depend on the parent image, so that each time the parent image is updated also a build of the CRS image is triggered? There's an "Enable for base image" option now that can be enabed in owasp/modsecurity-crs.

@csanders-git
Copy link
Contributor

csanders-git commented May 21, 2019

10-4 thanks, will update tmrw

@bittner
Copy link
Contributor Author

bittner commented May 23, 2019

@csanders-git Did you have time to flip the switch?

@csanders-git
Copy link
Contributor

yup -- so here is the plan of attack -- i'll have to push new docker images which are outlined in my PR (at minimum for Apache in the next day or so) once i do that -- i'll enable the autobuilding for crs.

@bittner
Copy link
Contributor Author

bittner commented May 24, 2019

I you need any help / support / whatever, drop us a line here! ⛑️

@bittner
Copy link
Contributor Author

bittner commented May 24, 2019

Cc @franbuehler @dune73

@bittner
Copy link
Contributor Author

bittner commented May 27, 2019

@csanders-git Do you think you can make it to enable autobuilds somewhat soon? Or is there anyone else that can do that, so you don't have to worry?

Pragmatic solution: Could you manually trigger a build, for now? -- This way the current, critical situation would be remedied. This should be a matter of seconds!

Thank you! 💯

@bittner
Copy link
Contributor Author

bittner commented May 28, 2019

Just noticed that this issue is also reported by the CII Best Practices analysis (badge at the top of the README) in the "Security" section.

According to @franbuehler the issues are significant:

This is the current state of the VSHN ModSecurity Image:
Quay Security Scanner has detected 124 vulnerabilities.
Patches are available for 77 vulnerabilities.
5 High-level vulnerabilities.
57 Medium-level vulnerabilities.
54 Low-level vulnerabilities.
8 Negligible-level vulnerabilities.

5 high-level vulnerabilites are: CVE-2019-3462, CVE-2018-16865, CVE-2018-16864 , CVE-2019-0211, CVE-2018-0501 (I did not check them in detail. But all CVEs are patchable).

Sounds like this needs immediate action to avert harm, technically, to users of the Docker image, and also w.r.t. reputation of ModSecurity OWASP project. Cc @mhutter

@mhutter
Copy link

mhutter commented May 28, 2019

I've opened #1432, which (if required) help with builds actually working again.

@bittner
Copy link
Contributor Author

bittner commented May 28, 2019

W.r.t. this issue, note that we are now (temporarily?) building our own Docker image to circumvent the current security blockers.

You may want to take a look at the conversation at vshn/modsecurity-docker#17 to seen what's the difference to the current official v3.1 image on Docker Hub.

@SpiderLabs SpiderLabs deleted a comment from chaimsanders-okta May 29, 2019
@csanders-git
Copy link
Contributor

We still aren't able to configure autobuilds because of some issue with OWASPs dockerhub -- in the mean time i'm kicking off manual builds of v3.2, v3.1, and v3.0

Screen Shot 2019-05-29 at 4 00 43 PM

@csanders-git
Copy link
Contributor

These images can of course be lighhtened a good bit by using multipart builds upstream and removing deps but here are the latest . builds

https://cloud.docker.com/u/owasp/repository/docker/owasp/modsecurity-crs/tags

@bittner
Copy link
Contributor Author

bittner commented May 30, 2019

The publicly accessible URL is https://hub.docker.com/r/owasp/modsecurity-crs/tags

@bittner
Copy link
Contributor Author

bittner commented Jun 4, 2019

I just figured that the file layout in the newly built images has changed significantly. There is no /etc/apache2 folder anymore. Looks like Apache2 is now installed manually (i.e. not the Debian way) and in /usr/local/apache2.

This broke every customization we did in vshn/modsecurity-docker. Not nice. 😟

What's the motivation for that? For managing a base configuration across distros?

@csanders-git
Copy link
Contributor

sorry about that -- my motivation was that we wanted it to work across multiple Webservers -- Nginx/Apache/WAFLEZ/etc. I don't foresee that we'll end up changing it again -- new location is /etc/modsecurity.d/

In terms of compiling from scratch -- the primary images I like are based on the apache/nginx upstream images. That way we don't rely on ubunttu apt-repos to package updates.

@github-actions
Copy link

This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days

@github-actions github-actions bot added the Stale issue This issue has been open 120 days with no activity. label Nov 18, 2019
@bittner
Copy link
Contributor Author

bittner commented Nov 18, 2019

This will be addressed by #1600 via coreruleset/modsecurity-crs-docker#1 in the long run.

Hence, closing the issue.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants