Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Known Container vulnerabilities and SAST results #5

Open
chgl opened this issue May 28, 2021 · 0 comments
Open

Known Container vulnerabilities and SAST results #5

chgl opened this issue May 28, 2021 · 0 comments

Comments

@chgl
Copy link

chgl commented May 28, 2021

Scanning the latest container using trivy reveals a total of 1744 (UNKNOWN: 5, LOW: 1123, MEDIUM: 340, HIGH: 215, CRITICAL: 61) known CVEs (not all of them fixable, though):

ghcr.io/num-codex/codex-flare:0.0.2 (debian 10.9)
=================================================
Total: 1744 (UNKNOWN: 5, LOW: 1123, MEDIUM: 340, HIGH: 215, CRITICAL: 61)

Using python:3.9-slim as a base image already reduces the surface significantly:

Total: 111 (UNKNOWN: 2, LOW: 74, MEDIUM: 11, HIGH: 22, CRITICAL: 2)

Running bandit on the repository reveals some additional points of interest:

bandit -r .
[main]  INFO    profile include tests: None
[main]  INFO    profile exclude tests: None
[main]  INFO    cli include tests: None
[main]  INFO    cli exclude tests: None
[main]  INFO    running on Python 3.9.0
Run started:2021-05-28 14:45:36.807982

Test results:
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: .\src\algorithm\steps\build_xml_response.py:2
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1       from typing import List
2       import xml.etree.ElementTree as Etree
3       import time

--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: .\src\fhir\fhir_executor.py:1
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1       import xml.etree.ElementTree as Etree
2       from typing import List, Tuple, Optional
3

--------------------------------------------------
>> Issue: [B501:request_with_no_cert_validation] Requests call with verify=False disabling SSL certificate checks, security issue.
   Severity: High   Confidence: High
   Location: .\src\fhir\fhir_executor.py:57
   More Info: https://bandit.readthedocs.io/en/latest/plugins/b501_request_with_no_cert_validation.html
56          params = dict(parse_qsl(parsed_url.query))
57          response = requests.post(urlunparse(new_q), data=params, verify=False)
58

--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
   Severity: Medium   Confidence: High
   Location: .\src\fhir\fhir_executor.py:62
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
61
62          x_response = Etree.fromstring(response.text)
63          return get_next_page_url(x_response), x_response

--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: .\src\fhir\fhir_parser.py:1
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1       import xml.etree.ElementTree as Etree
2       from typing import List, Set
3

--------------------------------------------------
>> Issue: [B405:blacklist] Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: .\src\query_parser\i2b2\i2b2_parser.py:2
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
1       import json
2       import xml.etree.ElementTree as Etree
3       from typing import List

--------------------------------------------------
>> Issue: [B314:blacklist] Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
   Severity: Medium   Confidence: High
   Location: .\src\query_parser\i2b2\i2b2_parser.py:22
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b313-b320-xml-bad-elementtree
21      def parse_i2b2_query_xml_string(xml: str) -> List[List[List[dict]]]:
22          root = Etree.fromstring(xml)
23          panels = []

--------------------------------------------------
>> Issue: [B405:blacklist] Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   Location: .\src\run_server.py:10
   More Info: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
9       from uuid import uuid4, UUID
10      from xml.etree import ElementTree as Etree
11
12
13      from flask import Flask as Flask, request, Response

--------------------------------------------------

Code scanned:
        Total lines of code: 1381
        Total lines skipped (#nosec): 0

Run metrics:
        Total issues (by severity):
                Undefined: 0.0
                Low: 5.0
                Medium: 2.0
                High: 1.0
        Total issues (by confidence):
                Undefined: 0.0
                Low: 0.0
                Medium: 0.0
                High: 8.0
Files skipped (0):

Both trivy and bandit could be integrated into the ci workflow. Maybe CodeQL for Python is wotth a look as well.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@chgl