Skip to content

Instantly share code, notes, and snippets.

@garethr

garethr/README.md

Created November 12, 2019 20:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save garethr/9647a55dfbd56ba61e2dfe4d0cab4df1 to your computer and use it in GitHub Desktop.
Save garethr/9647a55dfbd56ba61e2dfe4d0cab4df1 to your computer and use it in GitHub Desktop.
Download ZIP
Using Snyk to test CNAB bundles for vulnerabilities
Raw
README.md

One of the neat things about the CNAB invocation images is that they are just Docker images. That means tools build to work with Docker images work nicely with CNAB. Snyk is one such tool, which can be used to determine vulnerabilities in Docker images.

With a little jq and xargs we can easily test our CNAB invocation images for a loaded bundle with Duffle like so.

$ duffle bundle show helloworld | jq .invocationImages[].image | xargs -L1 -I'{}' snyk test --docker {}                                                                                1081ms  Tue 12 Nov 20:26:02 2019

Testing deislabs/helloworld-cnab:e9beebb5ff3fdadbeb6c4eb8ce240f4ccc077183...

Organization:      garethr
Package manager:   apk
Docker image:      deislabs/helloworld-cnab:e9beebb5ff3fdadbeb6c4eb8ce240f4ccc077183
Licenses:          enabled

✓ Tested 19 dependencies for known issues, no vulnerable paths found

If you're using Porter you can do the following:

$ porter inspect -o json | jq .invocationImages[].image | xargs -L1 -I'{}' snyk test --docker {} --file=Dockerfile
Testing deislabs/porter-hello:latest...
...
✗ High severity vulnerability found in glibc/libc-bin
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-LINUX-GLIBC-452129
  Introduced through: glibc/libc-bin@2.24-11+deb9u4, meta-common-packages@meta
  From: glibc/libc-bin@2.24-11+deb9u4
  From: meta-common-packages@meta > glibc/libc6@2.24-11+deb9u4
  From: meta-common-packages@meta > glibc/multiarch-support@2.24-11+deb9u4
  Introduced by your base image (debian:stretch)

✗ High severity vulnerability found in gcc-6/libstdc++6
  Description: Out-of-Bounds
  Info: https://snyk.io/vuln/SNYK-LINUX-GCC6-447561
  Introduced through: gcc-6/libstdc++6@6.3.0-18+deb9u1, apt/libapt-pkg5.0@1.4.9, apt@1.4.9, meta-common-packages@meta
  From: gcc-6/libstdc++6@6.3.0-18+deb9u1
  From: apt/libapt-pkg5.0@1.4.9 > gcc-6/libstdc++6@6.3.0-18+deb9u1
  From: apt@1.4.9 > gcc-6/libstdc++6@6.3.0-18+deb9u1
  and 2 more...
  Introduced by your base image (debian:stretch)

✗ High severity vulnerability found in elfutils/libelf1
  Description: Double Free
  Info: https://snyk.io/vuln/SNYK-LINUX-ELFUTILS-172940
  Introduced through: iproute2@4.9.0-1+deb9u1
  From: iproute2@4.9.0-1+deb9u1 > elfutils/libelf1@0.168-1
  Introduced by your base image (debian:stretch)

✗ High severity vulnerability found in bzip2/libbz2-1.0
  Description: Out-of-bounds Write
  Info: https://snyk.io/vuln/SNYK-LINUX-BZIP2-450767
  Introduced through: meta-common-packages@meta
  From: meta-common-packages@meta > bzip2/libbz2-1.0@1.0.6-8.1
  Introduced by your base image (debian:stretch)


Organization:      garethr
Package manager:   deb
Target file:       Dockerfile
Docker image:      deislabs/porter-hello:latest
Base image:        debian:stretch
Licenses:          enabled

Tested 87 dependencies for known issues, found 72 issues.

Base Image      Vulnerabilities  Severity
debian:stretch  70               29 high, 35 medium, 6 low

Recommendations for base image upgrade:

Major upgrades
Base Image   Vulnerabilities  Severity
debian:10.1  45               16 high, 21 medium, 8 low

Alternative image types
Base Image          Vulnerabilities  Severity
debian:buster-slim  43               15 high, 20 medium, 8 low
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment