Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tomwillfixit/alpine-cvecheck

Code used to CVE check Alpine based images
https://github.com/tomwillfixit/alpine-cvecheck

Last synced: about 2 months ago
JSON representation

Code used to CVE check Alpine based images

Host: GitHub
URL: https://github.com/tomwillfixit/alpine-cvecheck
Owner: tomwillfixit
Created: 2017-05-06T21:13:51.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2017-05-07T12:19:18.000Z (over 7 years ago)
Last Synced: 2024-01-22T19:23:02.909Z (8 months ago)
Language: Shell
Size: 70.3 KB
Stars: 10
Watchers: 3
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-docker - CVE Scanning Alpine images with Multi-stage builds in Docker 17.05
awesome-docker - CVE Scanning Alpine images with Multi-stage builds in Docker 17.05

README

# CVE Scanning of Alpine base images using Multi Stage builds in Docker 17.05

![data](img/data.jpg)

The tl;dr of this post is that I want to scan my Alpine based images locally for vulnerabilities before pushing the image to an online registry. Why? Well I think it makes sense that developers have the option of checking for CVE's locally and at build time. They may choose to ignore the results but it's nice to have the option. In future this could perhaps be made into a plugin or included with the docker build function.

I mentioned this to a few folks at DockerCon and decided to put together a simple demo. Using the MultiStage build feature in [Docker 17.05](https://docs.docker.com/engine/userguide/eng-image/multistage-build/) we can append a CVE scan stage into our build and run a scan at build time. I also have a service running in Docker Swarm that updates the CVE database each hour and is available to all cluster nodes where image builds happen. That's for another day.

Let's get started. This first step will take a few minutes since it downloads the CVE database which is around 800mb.

## Step 1

Build the cvechecker image. This image will contain the cvechecker tool and the CVE database. More details on cvechecker can be found [here](https://github.com/sjvermeu/cvechecker/)

```
docker build -t cvechecker:latest .

```

## Step 2

There are lots of ways to run the CVE scan. Firstly let's try using the MultiStage Dockerfile to build a Wordpress container and then run the scan.

```
docker build -t wordpress:latest --no-cache -f Dockerfile.wordpress .

```

Copy the CVE.log from the image and check inside

```
docker run -t --rm -v ${PWD}:/results wordpress:latest /bin/sh -c "mv /tmp/CVE.log /results/wordpress.CVE.log"
```

### Example output

```
File "/usr/lib/libbz2.so.1.0.6" (CPE = cpe:/a:bzip:bzip2:1.0.6:::) on host 837a64dcc771 (key 837a64dcc771)
Potential vulnerability found (CVE-2016-3189)
CVSS Score is 4.3
Full vulnerability match (incl. edition/language)

```

This CVE was detected in the libarchive package. This package is not needed and was just an example. Remove libarchive from the Dockerfile and rebuild. No vulnerability found. Great job.

## Step 3

Using the MultiStage Dockerfile we can supply a list of images and scan them all sequentially for CVE's. We could use docker-compose to replace the image name as an environment variable but in this case we will just use a bit of bash.

```
./bulk_cve_scan.sh list_of_images.txt

```

This will pull each image, copy the contents into the cvechecker image, generate a list of executables and run the cvechecker. A results file is created per image and a final report is created.

### Example output

```
*************************************
---> Image : nginx:1.13.0-alpine-perl
---> Sha : sha256:dcf49000bf50c4e93d6cc84c96f8acf985998154e09f6301cff7c62314811604
---> Created : 2017-04-25T17:25:05.511678526Z
---> Log : ./results/nginx:1.13.0-alpine-perl.CVE.log
---> Status : 1 CVE's found