{"id":13416616,"url":"https://github.com/tomwillfixit/alpine-cvecheck","last_synced_at":"2025-03-15T00:31:12.408Z","repository":{"id":99532528,"uuid":"90491509","full_name":"tomwillfixit/alpine-cvecheck","owner":"tomwillfixit","description":"Code used to CVE check Alpine based images","archived":false,"fork":false,"pushed_at":"2017-05-07T12:19:18.000Z","size":72,"stargazers_count":10,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-07-31T21:57:16.840Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tomwillfixit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-05-06T21:13:51.000Z","updated_at":"2022-12-12T21:40:13.000Z","dependencies_parsed_at":"2023-07-30T19:15:45.899Z","dependency_job_id":null,"html_url":"https://github.com/tomwillfixit/alpine-cvecheck","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomwillfixit%2Falpine-cvecheck","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomwillfixit%2Falpine-cvecheck/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomwillfixit%2Falpine-cvecheck/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tomwillfixit%2Falpine-cvecheck/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tomwillfixit","download_url":"https://codeload.github.com/tomwillfixit/alpine-cvecheck/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243667742,"owners_count":20328032,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T21:01:02.341Z","updated_at":"2025-03-15T00:31:12.017Z","avatar_url":"https://github.com/tomwillfixit.png","language":"Shell","readme":"# CVE Scanning of Alpine base images using Multi Stage builds in Docker 17.05  \n\n![data](img/data.jpg)\n\nThe tl;dr of this post is that I want to scan my Alpine based images locally for vulnerabilities before pushing the image to an online registry. Why? Well I think it makes sense that developers have the option of checking for CVE's locally and at build time. They may choose to ignore the results but it's nice to have the option.  In future this could perhaps be made into a plugin or included with the docker build function.\n\nI mentioned this to a few folks at DockerCon and decided to put together a simple demo.  Using the MultiStage build feature in [Docker 17.05](https://docs.docker.com/engine/userguide/eng-image/multistage-build/) we can append a CVE scan stage into our build and run a scan at build time.  I also have a service running in Docker Swarm that updates the CVE database each hour and is available to all cluster nodes where image builds happen. That's for another day.\n\nLet's get started. This first step will take a few minutes since it downloads the CVE database which is around 800mb.\n\n## Step 1\n\nBuild the cvechecker image. This image will contain the cvechecker tool and the CVE database. More details on cvechecker can be found [here](https://github.com/sjvermeu/cvechecker/)\n\n```\ndocker build -t cvechecker:latest .\n\n```\n\n## Step 2\n\nThere are lots of ways to run the CVE scan. Firstly let's try using the MultiStage Dockerfile to build a Wordpress container and then run the scan.\n\n```\ndocker build -t wordpress:latest --no-cache -f Dockerfile.wordpress .\n\n```\n\nCopy the CVE.log from the image and check inside\n\n```\ndocker run -t --rm -v ${PWD}:/results wordpress:latest /bin/sh -c \"mv /tmp/CVE.log /results/wordpress.CVE.log\"\n```\n\n### Example output\n\n```\nFile \"/usr/lib/libbz2.so.1.0.6\" (CPE = cpe:/a:bzip:bzip2:1.0.6:::) on host 837a64dcc771 (key 837a64dcc771)\n  Potential vulnerability found (CVE-2016-3189)\n  CVSS Score is 4.3\n  Full vulnerability match (incl. edition/language)\n\n```\n\nThis CVE was detected in the libarchive package. This package is not needed and was just an example. Remove libarchive from the Dockerfile and rebuild. No vulnerability found. Great job.\n\n## Step 3\n\nUsing the MultiStage Dockerfile we can supply a list of images and scan them all sequentially for CVE's.  We could use docker-compose to replace the image name as an environment variable but in this case we will just use a bit of bash.\n\n```\n./bulk_cve_scan.sh list_of_images.txt\n\n```\n\nThis will pull each image, copy the contents into the cvechecker image, generate a list of executables and run the cvechecker. A results file is created per image and a final report is created.\n\n### Example output\n\n```\n*************************************\n---\u003e Image   : nginx:1.13.0-alpine-perl\n---\u003e Sha     : sha256:dcf49000bf50c4e93d6cc84c96f8acf985998154e09f6301cff7c62314811604\n---\u003e Created : 2017-04-25T17:25:05.511678526Z\n---\u003e Log     : ./results/nginx:1.13.0-alpine-perl.CVE.log\n---\u003e Status  : 1 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n\n*************************************\n*************************************\n---\u003e Image   : redis:3.2.8-alpine\n---\u003e Sha     : sha256:83638a6d3af20698d5e207febe714ac46a23a98e1d86ba36fe502fadc788daa3\n---\u003e Created : 2017-03-03T23:33:08.415849842Z\n---\u003e Log     : ./results/redis:3.2.8-alpine.CVE.log\n---\u003e Status  : No CVE's found\n*************************************\n*************************************\n---\u003e Image   : logstash:1.5.6-alpine\n---\u003e Sha     : sha256:6a7afab35097ffcacf6445366065b234371902240e2d9bf41bb3d64386352db6\n---\u003e Created : 2017-03-07T18:57:08.447747089Z\n---\u003e Log     : ./results/logstash:1.5.6-alpine.CVE.log\n---\u003e Status  : 1 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n\n*************************************\n*************************************\n---\u003e Image   : logstash:1-alpine\n---\u003e Sha     : sha256:6a7afab35097ffcacf6445366065b234371902240e2d9bf41bb3d64386352db6\n---\u003e Created : 2017-03-07T18:57:08.447747089Z\n---\u003e Log     : ./results/logstash:1-alpine.CVE.log\n---\u003e Status  : 1 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n\n*************************************\n*************************************\n---\u003e Image   : elasticsearch:1.7.6-alpine\n---\u003e Sha     : sha256:59103e15fe949d9735eb4ff885abb6fb5ff50bc587acb4075ac10c0d9bbb0467\n---\u003e Created : 2017-04-04T23:28:36.351775037Z\n---\u003e Log     : ./results/elasticsearch:1.7.6-alpine.CVE.log\n---\u003e Status  : 1 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n\n*************************************\n*************************************\n---\u003e Image   : wordpress:4.7.4-php7.1-fpm-alpine\n---\u003e Sha     : sha256:80052e2343db98ce7ccf00b582fe024b40e07a497fdcc43f5814ba93b960d2d2\n---\u003e Created : 2017-05-06T00:15:39.364168997Z\n---\u003e Log     : ./results/wordpress:4.7.4-php7.1-fpm-alpine.CVE.log\n---\u003e Status  : 46 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0903\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1516\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1517\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1518\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3469\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4031\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4226\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1420\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2583\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2691\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2692\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6303\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6304\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2079\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3963\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4098\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7247\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2446\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4019\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4028\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5026\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1848\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1849\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1850\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3677\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3682\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3833\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3834\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3836\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3837\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3838\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0075\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0087\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0101\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0102\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0114\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0484\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0490\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1696\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1697\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3160\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3166\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3177\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6321\n\n*************************************\n*************************************\n---\u003e Image   : ruby:2.1.8-alpine\n---\u003e Sha     : sha256:f6611d75e6dc337005a23816143cfa40f96fab41860f563665c36efbb541b1e6\n---\u003e Created : 2016-03-30T21:01:49.675295954Z\n---\u003e Log     : ./results/ruby:2.1.8-alpine.CVE.log\n---\u003e Status  : 14 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2106\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2109\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2178\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2179\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2180\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2182\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6302\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6303\n\n*************************************\n*************************************\n---\u003e Image   : consul:v0.7.0\n---\u003e Sha     : sha256:2ba9010ee3cc0251be45e8b55f3154eb421df841cd93a375f9f5ab334d848291\n---\u003e Created : 2016-10-18T22:59:58.369872799Z\n---\u003e Log     : ./results/consul:v0.7.0.CVE.log\n---\u003e Status  : No CVE's found\n*************************************\n*************************************\n---\u003e Image   : python:3.4.5-alpine\n---\u003e Sha     : sha256:0eb0091592b3d8aab929e19041330d307e0e3302cf58ae8753276a2860c45037\n---\u003e Created : 2016-12-27T21:39:19.757995673Z\n---\u003e Log     : ./results/python:3.4.5-alpine.CVE.log\n---\u003e Status  : 1 CVE's found\n\n\thttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189\n\n*************************************\n*************************************\n---\u003e Image   : rabbitmq:3.6.6-alpine\n---\u003e Sha     : sha256:1f17c5fffd2d35099050f4d224be92c424b90550cc65c76570be71d368e637cc\n---\u003e Created : 2017-03-03T23:32:16.463770425Z\n---\u003e Log     : ./results/rabbitmq:3.6.6-alpine.CVE.log\n---\u003e Status  : No CVE's found\n*************************************\n\n```\n\n# Summary\n\nI like free stuff. This isn't bullet-proof but it's already found a few questionable images which I would previously have used without question.\n\nI'll tidy this up in the coming weeks and perhaps use Goss as a trigger for the CVE check.\n\nFeel free to contact me for more details, banter, pull requests etc\n\n@tomwillfixit @Shipitcon @DockerDublin #DockerCaptain\n\n\n","funding_links":[],"categories":["Security"],"sub_categories":["Monitoring Services"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftomwillfixit%2Falpine-cvecheck","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftomwillfixit%2Falpine-cvecheck","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftomwillfixit%2Falpine-cvecheck/lists"}