mirror of
https://github.com/aquasecurity/kube-bench.git
synced 2024-12-25 16:08:08 +00:00
20ad80577c
During a recent CVE scan we found kube-bench to use `alpine:3.18` as the final image which has a known high CVE. ``` grype aquasec/kube-bench:v0.6.15 ✔ Vulnerability DB [no update available] ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [73 packages] ✔ Scanning image... [4 vulnerabilities] ├── 0 critical, 4 high, 0 medium, 0 low, 0 negligible └── 4 fixed NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY libcrypto3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High libssl3 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High openssl 3.1.0-r4 3.1.1-r0 apk CVE-2023-2650 High ``` The CVE in question was addressed in the latest [alpine release](https://www.alpinelinux.org/posts/Alpine-3.15.9-3.16.6-3.17.4-3.18.2-released.html), hence updating the dockerfiles accordingly
50 lines
1.7 KiB
Docker
50 lines
1.7 KiB
Docker
FROM golang:1.20.6 AS build
|
||
WORKDIR /go/src/github.com/aquasecurity/kube-bench/
|
||
COPY makefile makefile
|
||
COPY go.mod go.sum ./
|
||
COPY main.go .
|
||
COPY check/ check/
|
||
COPY cmd/ cmd/
|
||
COPY internal/ internal/
|
||
ARG KUBEBENCH_VERSION
|
||
RUN make build && cp kube-bench /go/bin/kube-bench
|
||
|
||
FROM alpine:3.18.2 AS run
|
||
WORKDIR /opt/kube-bench/
|
||
# add GNU ps for -C, -o cmd, and --no-headers support
|
||
# https://github.com/aquasecurity/kube-bench/issues/109
|
||
RUN apk --no-cache add procps
|
||
|
||
# Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752
|
||
# https://github.com/aquasecurity/kube-bench/issues/943
|
||
RUN apk --no-cache upgrade apk-tools
|
||
|
||
# Openssl is used by OpenShift tests
|
||
# https://github.com/aquasecurity/kube-bench/issues/535
|
||
# Ensuring that we update/upgrade before installing openssl, to mitigate CVE-2021-3711 and CVE-2021-3712
|
||
RUN apk update && apk upgrade && apk --no-cache add openssl
|
||
|
||
# Add glibc for running oc command
|
||
RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub
|
||
RUN apk add gcompat
|
||
RUN apk add jq
|
||
|
||
ENV PATH=$PATH:/usr/local/mount-from-host/bin
|
||
|
||
COPY --from=build /go/bin/kube-bench /usr/local/bin/kube-bench
|
||
COPY entrypoint.sh .
|
||
COPY cfg/ cfg/
|
||
ENTRYPOINT ["./entrypoint.sh"]
|
||
CMD ["install"]
|
||
|
||
# Build-time metadata as defined at http://label-schema.org
|
||
ARG BUILD_DATE
|
||
ARG VCS_REF
|
||
LABEL org.label-schema.build-date=$BUILD_DATE \
|
||
org.label-schema.name="kube-bench" \
|
||
org.label-schema.description="Run the CIS Kubernetes Benchmark tests" \
|
||
org.label-schema.url="https://github.com/aquasecurity/kube-bench" \
|
||
org.label-schema.vcs-ref=$VCS_REF \
|
||
org.label-schema.vcs-url="https://github.com/aquasecurity/kube-bench" \
|
||
org.label-schema.schema-version="1.0"
|