skip to Main Content

My Dockerfile is pretty simple, code below. It is an Angular App. Once I merge the code to my main branch CodePipeline takes over, CodeBuild will build the image and push to ECR and CodeDeploy will use that image to deploy the ECS Fargate tasks. Everything works fine. But this image has 1 critical vulnerability. CVE-2021-22945 – curl

node14:14182alpine312 is basically built from:FROM node:14.18.2-alpine3.12
nginx:latest is build from FROM nginx:latest

FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/node14:14182alpine312 as builder

WORKDIR /app

COPY ./hello-world-web/ /app/

RUN apk add --no-cache git

RUN npm install

RUN npm run build

FROM <awsaccountid>.dkr.ecr.<region>.amazonaws.com/nginx:latest

COPY --from=builder /app/dist/hello-world-web /usr/share/nginx/html

COPY --from=builder /app/nginx.conf  /etc/nginx/conf.d/default.conf

EXPOSE 80

The tool that scans ECR Repo mentions the vulnerability is in Layer 0. Can I run any script while building the image that would fix this. Individually the node and nginx image does not have this critical vulnerability. It seems like it could be introduced when npm install is run. Any help to remediate this is much appreciated.

2

Answers


  1. I see that libcurl is pulled in by apk add git (click "depends"): https://pkgs.alpinelinux.org/package/edge/main/x86/git

    But on alpine 3.12 the libcurl version is 7.79.1 which is not affected by the CVE: https://nvd.nist.gov/vuln/detail/CVE-2021-22945

    Maybe run apk update before apk add and see if it pulls in the right version?

    Login or Signup to reply.
  2. If it is pre-installed software and libraries, an apk update command may work. Ideally, you would be in a bit of better control, and tell apk to install a specific update, by saying e.g.

    apk add "your_package_name>=VERSION-SUFFIX"
    

    Needless to say, you may run into dependency hell, but in my experience, that happens rarely.

    Also, if you are security conscientious, I would suggest to also not just look for security holes wrt. outdated images, but also wrt. configurations. I see an Nginx being used there, and to follow e.g. CIS benchmarks is also recommended. There are open source tools that can help you there (e.g. CoGuard)

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search