My Dockerfile is pretty simple, code below. It is an Angular App. Once I merge the code to my main branch CodePipeline takes over, CodeBuild will build the image and push to ECR and CodeDeploy will use that image to deploy the ECS Fargate tasks. Everything works fine. But this image has 1 critical vulnerability. CVE-2021-22945 – curl
node14:14182alpine312 is basically built from:FROM node:14.18.2-alpine3.12
nginx:latest is build from FROM nginx:latest
FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/node14:14182alpine312 as builder
WORKDIR /app
COPY ./hello-world-web/ /app/
RUN apk add --no-cache git
RUN npm install
RUN npm run build
FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/nginx:latest
COPY --from=builder /app/dist/hello-world-web /usr/share/nginx/html
COPY --from=builder /app/nginx.conf /etc/nginx/conf.d/default.conf
EXPOSE 80
The tool that scans ECR Repo mentions the vulnerability is in Layer 0. Can I run any script while building the image that would fix this. Individually the node and nginx image does not have this critical vulnerability. It seems like it could be introduced when npm install is run. Any help to remediate this is much appreciated.
2
Answers
I see that libcurl is pulled in by
apk add git
(click "depends"): https://pkgs.alpinelinux.org/package/edge/main/x86/gitBut on alpine 3.12 the libcurl version is 7.79.1 which is not affected by the CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-22945
Maybe run
apk update
beforeapk add
and see if it pulls in the right version?If it is pre-installed software and libraries, an
apk update
command may work. Ideally, you would be in a bit of better control, and tell apk to install a specific update, by saying e.g.Needless to say, you may run into dependency hell, but in my experience, that happens rarely.
Also, if you are security conscientious, I would suggest to also not just look for security holes wrt. outdated images, but also wrt. configurations. I see an Nginx being used there, and to follow e.g. CIS benchmarks is also recommended. There are open source tools that can help you there (e.g. CoGuard)