-
Notifications
You must be signed in to change notification settings - Fork 728
Configure autobuilds on Docker Hub (critical!) #1420
Comments
10-4 thanks, will update tmrw |
@csanders-git Did you have time to flip the switch? |
yup -- so here is the plan of attack -- i'll have to push new docker images which are outlined in my PR (at minimum for Apache in the next day or so) once i do that -- i'll enable the autobuilding for crs. |
I you need any help / support / whatever, drop us a line here! ⛑️ |
@csanders-git Do you think you can make it to enable autobuilds somewhat soon? Or is there anyone else that can do that, so you don't have to worry? Pragmatic solution: Could you manually trigger a build, for now? -- This way the current, critical situation would be remedied. This should be a matter of seconds! Thank you! 💯 |
Just noticed that this issue is also reported by the CII Best Practices analysis (badge at the top of the README) in the "Security" section. According to @franbuehler the issues are significant:
Sounds like this needs immediate action to avert harm, technically, to users of the Docker image, and also w.r.t. reputation of ModSecurity OWASP project. Cc @mhutter |
I've opened #1432, which (if required) help with builds actually working again. |
W.r.t. this issue, note that we are now (temporarily?) building our own Docker image to circumvent the current security blockers. You may want to take a look at the conversation at vshn/modsecurity-docker#17 to seen what's the difference to the current official v3.1 image on Docker Hub. |
These images can of course be lighhtened a good bit by using multipart builds upstream and removing deps but here are the latest . builds https://cloud.docker.com/u/owasp/repository/docker/owasp/modsecurity-crs/tags |
The publicly accessible URL is https://hub.docker.com/r/owasp/modsecurity-crs/tags |
I just figured that the file layout in the newly built images has changed significantly. There is no This broke every customization we did in vshn/modsecurity-docker. Not nice. 😟 What's the motivation for that? For managing a base configuration across distros? |
sorry about that -- my motivation was that we wanted it to work across multiple Webservers -- Nginx/Apache/WAFLEZ/etc. I don't foresee that we'll end up changing it again -- new location is /etc/modsecurity.d/ In terms of compiling from scratch -- the primary images I like are based on the apache/nginx upstream images. That way we don't rely on ubunttu apt-repos to package updates. |
This issue has been open 120 days with no activity. Remove the stale label or comment, or this will be closed in 14 days |
This will be addressed by #1600 via coreruleset/modsecurity-crs-docker#1 in the long run. Hence, closing the issue. |
Type of Issue
Security issue
Description
The Docker image owasp/modsecurity-crs provided by this repository inherits from
owasp/modsecurity:2.9-apache-ubuntu
, however autobuilds seem not configured on Docker Hub.This results in the CRS image being much older ("Updated 6 months ago") than the owasp/modsecurity image ("Updated 23 days ago"). Subsequently, the Clair image scanner on Quay.io complains about a security issue of the older image that the younger doesn't have.
Required Action
Can we please configure autobuilds on Docker Hub that depend on the parent image, so that each time the parent image is updated also a build of the CRS image is triggered? There's an "Enable for base image" option now that can be enabed in owasp/modsecurity-crs.
The text was updated successfully, but these errors were encountered: