Analyzing 'trole-api:latest' with Docker Scout

78
4 months ago
in
SPK Network

image.png

Next week, the SpeakNetwork Community plans to continue testing the local Storage-Node software during our TestNet-Sprint. In preparation for this event, I have conducted a thorough analysis of the Docker container using Docker-Scout, and I am sharing the results in this article. This analysis aims to provide guidance and assistance to the developers, urging them to review the package carefully and address some of the identified security vulnerabilities before we proceed with further testing.

I understand that addressing these issues may require significant effort, but I believe it is essential for ensuring the security and reliability of the software. The SpeakNetwork Community is ready and willing to assist by testing newer packages and providing direct feedback across various systems. Our collective goal is to improve the software's robustness and security, creating a more reliable platform for all users.

This article outlines the vulnerabilities found, categorized by severity, and offers recommendations for updating or changing the base image to mitigate these risks. I encourage the developers to prioritize these security fixes, as it will significantly enhance the testing process and overall software quality. We are committed to supporting the developers in this endeavor, ensuring that our testing environment is as secure and stable as possible.

Docker Container Analysis with Docker-Scout

The following presents the analysis results of a Docker container using Docker-Scout to help the software author address potential vulnerabilities.

image.png

Overview

Analyzed Image
Targetlocal://trole-api:latest
Digest17558460b011
Platformlinux/amd64
Vulnerabilities2C 9H 8M 108L 7?
Size530 MB
Packages1087

Packages and Vulnerabilities

1. git 1:2.39.2-1.1

2. crypto-js 3.3.0

3. node-forge 0.7.6

4. node-forge 0.10.0

5. ip 1.1.9

6. libwmf 0.2.12-5.1

7. nghttp2 1.52.0-1+deb12u1

8. axios 0.27.2

9. openjpeg2 2.5.0-2

10. tiff 4.5.0-6+deb12u1

11. openssh 1:9.2p1-2+deb12u2

12. imagemagick 8:6.9.11.60+dfsg-1.6+deb12u1

13. glibc 2.36-9+deb12u7

14. binutils 2.40-2

15. patch 2.7.6-7

16. openldap 2.5.13+dfsg-5

17. systemd 252.22-1~deb12u1

18. m4 1.4.19-3

19. shadow 1:4.13+dfsg1-1

20. perl 5.36.0-7+deb12u1

21. expat 2.5.0-1

22. util-linux 2.38.1-5+deb12u1

23. gnutls28 3.7.9-2+deb12u2

24. gnupg2 2.2.40-1.1

25. libxml2 2.9.14+dfsg-1.3~deb12u1

26. apt 2.6.1

27. libxslt 1.1.35-1

28. libgcrypt20 1.10.1-3

29. sqlite3 3.40.1-2

30. libpng1.6 1.6.39-2

31. curl 7.88.1-10+deb12u5

32. coreutils 9.1-1

33. gcc-12 12.2.0-14

34. libheif 1.15.1-1

35. tar 1.34+dfsg-1.2+deb12u1

36. krb5 1.20.1-2+deb12u1

37. glib2.0 2.74.6-2+deb12u2

38. jbigkit 2.1-6.1

39. unzip 6.0-28

40. openexr 3.1.5-5

41. openssl 3.0.11-1~deb12u2

42. elfutils 0.188-2.1

43. pixman 0.42.2-1

44. jansson 2.14-2

45. libyaml 0.2.5-1

46. aom 3.6.0-1

Summary of Findings

  • 134 vulnerabilities found in 46 packages:
    • 2 Critical
    • 9 High
    • 8 Medium
    • 108 Low
    • 7 Unspecified

Conclusion

The analysis reveals multiple critical and high vulnerabilities in the Docker container. It is recommended to update the affected packages or find alternative solutions to ensure the container's security.

For detailed information, refer to the provided CVE and GMS links.

image.png

Recommended fixes

Base Image Information

Base image: node:18

NameDigestVulnerabilitiesPushedSizePackagesRuntime
18sha256:7176e37dd29986e14c923bb38f2331f767e167c944915448091039d66dfd10291C, 2H, 3M, 103L, 3?1 month ago396 MB74718

The base image is also available under the supported tag(s): 18-bookworm, 18.20, 18.20-bookworm, 18.20.3, 18.20.3-bookworm, hydrogen, hydrogen-bookworm. To display recommendations for a different tag, re-run the command using the --tag flag.

Refresh Base Image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Current Status: This image version is up to date.

Change Base Image

The list displays new recommended tags in descending order, where the top results are rated as most suitable.

TagBenefitsPushedVulnerabilities
22-slim- Image is smaller by 305 MB
- Image contains 425 fewer packages
- Major runtime version update
- Tag was pushed more recently
- Image introduces no new vulnerability but removes 86
- Tag is using slim variant		2 weeks ago0C, 0H, 0M, 23L
20-slim- Image is smaller by 309 MB
- Image contains 423 fewer packages
- Major runtime version update
- Tag was pushed more recently
- Image introduces no new vulnerability but removes 86
- Tag is using slim variant		1 day ago0C, 0H, 0M, 23L
22- Image contains 2 fewer packages
- Major runtime version update
- Tag was pushed more recently
- Image has similar size
- Tag is latest
- Image has same number of vulnerabilities		2 weeks ago1C, 2H, 3M, 103L, 3?
18-slim- Image is smaller by 312 MB
- Image contains 423 fewer packages
- Image introduces no new vulnerability but removes 86
- Tag is using slim variant
- 18-slim was pulled 33K times last month		1 month ago0C, 0H, 0M, 23L
20- Major runtime version update
- Tag was pushed more recently
- Image has similar size
- Image has same number of vulnerabilities
- Image contains equal number of packages		1 day ago1C, 2H, 3M, 103L, 3?

Image details:

  • 22-slim: Size: 76 MB, Runtime: 22
  • 20-slim: Size: 71 MB, Runtime: 20.15.0
  • 22: Size: 402 MB, Runtime: 22
  • 18-slim: Size: 69 MB, Runtime: 18
  • 20: Size: 398 MB, Runtime: 20.15.0

I hope this help, if u need further details, hit me up or install docker-desktop with the docker-scout integration to analyse docker-containers.

Thanks and Greetings.

spknetwork
speaknetwork
testprint
developemt
hive
ipfs
storage
docker
docker-scout
spktestnet
4 months ago
louis8878
via peakd
$ 21.480
220
2
H2
H3
H4
3 columns
2 columns
1 column
Join the conversation now
Logo
Center