-
Notifications
You must be signed in to change notification settings - Fork 285
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(cmd-api-server): use ncc bundle in container image - CVE-2024-29415
Fixes the CVE mentioned and also improves our response time to future CVEs by a very wide margin. Details below. 1. Fixing the mentioned vulnerability in the API server and doing so in a way so that in the future our dependency upgrades automatically propagate to the container builds as well. 2. The way we are achieving this is by making the container image build use the pre-built bundle instead of pulling the package contents from npm. 3. This has the advantage of breaking the chicken egg problem with releases to npm and container images, so from now on if we are adding a fix to the API server in the code, the built container image will automatically contain that fix when building on the CI for the pull request. 4. This is also a new pattern for how to create our container images that has a couple more improvements to it: 4.1. The .dockerignore file is now specific to the particular package's container image instead of the global one in the project root being used. This was needed because we are copying files from the ./dist/ folder of the package to the container image at build time but this was not possible while the root dir .dockerignore file was in effect because it blanket ignores the ./dist/ folders overall and so the image building was failing with errors that it couldn't locate the bundle (which is inside the ./dist/ directory) 4.2. The healthcheck of the container is now 100% self-contained and needs no external dependencies of any kind (neither npm nor operating system level ones) This is beneficial because it reduces the attack-surface of the image and also reduce the size of the image by at least a 100 MB. 4.3. With the introduction of the usage of the bundled version of the code we have **dramatically** reduced the image size overall. The image built from this revision of the code is 221 MB while the previous image versions were hovering closer to a 0.5 GB. 5. Also updated the README of the package so that all the examples pertaining to the container image are now fully functional once again. 6. Simplified the container image's definition: the custom docker entrypoint script and the healthcheck bash script are no longer necessary. 7. Renamed the container image definition file from `Dockerfile` to `cmd-api-server.Dockerfile` because this is mandated by Docker when building images with custom .dockerignore files (it needs the custom filename to disambiguate the .dockerignore files based on it) 8. Refactored how the CI executes the Trivy scan to reduce resource usage: 8.1. There is no separate image build job now. This was necessary because with the new image definition we have to have the project compiled first (since we no longer install directly from npm) so it would've been a lot of duplicated compute time to recompile the project in yet another CI job for the image build. The image built from this revision is also published on the official repository with the canary tag of: `ghcr.io/hyperledger/cactus-cmd-api-server:2024-07-03T19-32-51-dev-3f5e97893` Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
- Loading branch information
Showing
13 changed files
with
204 additions
and
112 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -182,6 +182,8 @@ | |
"tlsca", | ||
"tlscacerts", | ||
"Trivy", | ||
"trivyignore", | ||
"trivyignores", | ||
"txid", | ||
"txqueue", | ||
"Uisrs", | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Misclassification by the Debian maintainers. Does not affect us | ||
# Source: https://github.com/aquasecurity/trivy/discussions/6722#discussioncomment-9518531 | ||
CVE-2023-45853 |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
FROM node:22.4.0-bookworm-slim | ||
|
||
# CVE-2023-31484 - perl: CPAN.pm does not verify TLS certificates when downloading distributions over HTTPS... | ||
RUN apt-get remove -y --allow-remove-essential perl perl-base && apt-get autoremove -y | ||
|
||
ARG APP_DIR=/opt/cacti/cmd-api-server | ||
WORKDIR ${APP_DIR} | ||
|
||
COPY ./dist/bundle/ncc/ ${APP_DIR} | ||
COPY ./cmd-api-server.Dockerfile.healthcheck.mjs ${APP_DIR} | ||
CMD ["node", "index.js"] | ||
|
||
HEALTHCHECK --interval=5s --timeout=1s --start-period=1s --retries=60 CMD [ "node", "./cmd-api-server.Dockerfile.healthcheck.mjs", "http", "localhost", "4000" ] | ||
|
||
# FIXME: Stop hardcoding the less secure defaults once we've migrated to yarts | ||
# for CMD/ENV configuration file parsing. | ||
ENV COCKPIT_TLS_ENABLED=false | ||
ENV COCKPIT_CORS_DOMAIN_CSV=\* | ||
ENV COCKPIT_MTLS_ENABLED=false | ||
ENV COCKPIT_TLS_CERT_PEM=- | ||
ENV COCKPIT_TLS_KEY_PEM=- | ||
ENV COCKPIT_TLS_CLIENT_CA_PEM=- | ||
|
||
ENV TZ=Etc/UTC | ||
ENV NODE_ENV=production |
Empty file.
Oops, something went wrong.