ci: fix s360 security vulnerability#25876
Conversation
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
This PR aims to address reported S360 security vulnerabilities by updating selected dependency versions used by the docker-ptf build and its published version manifest.
Changes:
- Bump
pipandsetuptoolsversions in thedocker-ptfpy3 versions manifest. - Update
docker-ptfimage build inputs (grpcurl, ipython, tac_plus, protobuf pin, gnoic). - Update the gnxi patch to require a newer
protobufforgnmi_cli_py.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| files/build/versions-public/dockers/docker-ptf/versions-py3 | Updates published python package versions for docker-ptf py3. |
| dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch | Updates gnxi gnmi_cli_py requirements (protobuf) in the applied patch. |
| dockers/docker-ptf/Dockerfile.j2 | Updates several pinned tool/component versions and adjusts protobuf pinning behavior. |
Comments suppressed due to low confidence (1)
dockers/docker-ptf/Dockerfile.j2:115
- This Dockerfile downloads the
grpcurlbinary directly from GitHub usingcurland installs it into the image without any integrity verification (no checksum or signature check). If the upstream GitHub release or the network path is compromised, a malicious binary could be embedded into the container and later executed with its privileges. To harden the supply chain, pin this download to a specific immutable artifact and verify its integrity (for example by checking a known SHA-256 digest) before installing.
&& GRPCURL_VERSION=1.9.3 && \
curl -L "https://github.com/fullstorydev/grpcurl/releases/download/v${GRPCURL_VERSION}/grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz" \
-o /tmp/grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz && \
cd /tmp && \
tar xvf grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz && \
mv grpcurl /usr/local/bin/grpcurl && \
chmod +x /usr/local/bin/grpcurl && \
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
f9428e8 to
d9f6707
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch
Outdated
Show resolved
Hide resolved
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
d9f6707 to
f2eef60
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
f2eef60 to
eb467f8
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
Comments suppressed due to low confidence (2)
dockers/docker-ptf/Dockerfile.j2:115
- This build step downloads a prebuilt
grpcurlbinary from GitHub and installs it directly into the image without verifying a checksum or signature. A compromise of the release artifact or a successful MITM attack on that URL would allow arbitrary code to be added to the image and executed as root. Fetch a specific release artifact and validate its hash (or signature) before installation, or vendor the binary into the build context instead of downloading it at build time.
&& GRPCURL_VERSION=1.9.3 && \
curl -L "https://github.com/fullstorydev/grpcurl/releases/download/v${GRPCURL_VERSION}/grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz" \
-o /tmp/grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz && \
cd /tmp && \
tar xvf grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz && \
mv grpcurl /usr/local/bin/grpcurl && \
chmod +x /usr/local/bin/grpcurl && \
dockers/docker-ptf/Dockerfile.j2:163
- This Docker build clones and installs
scapy-vxlanfrom GitHub without pinning to an immutable commit or verifying the code’s integrity. If the upstream repository or its default branch is compromised, a malicious commit could be pulled into builds and executed as root inside the container. Pin this dependency to a specific commit SHA or vetted archive and, ideally, verify its hash before runningpython setup.py install.
&& git clone https://github.com/p4lang/scapy-vxlan.git \
&& cd scapy-vxlan \
&& python setup.py install \
&& cd .. \
&& rm -fr scapy-vxlan \
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
eb467f8 to
1b467c8
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
1b467c8 to
d575cf7
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
dockers/dockerfile-macros.j2
Outdated
| @@ -41,7 +41,7 @@ COPY \ | |||
| {% macro install_offending_packages(packages) -%} | |||
| {%- for pkg in packages %} | |||
| RUN pip3 install {{ pkg }} | |||
| RUN pip3 install setuptools==51.0.0 | |||
| RUN pip3 install setuptools>=65.5.1 | |||
There was a problem hiding this comment.
pip3 install setuptools>=65.5.1 will be parsed by the shell as output redirection because of the unquoted > character, so it will not apply the intended version constraint (and may create a stray file named =65.5.1 in the image). Quote or escape the requirement spec (and consider adding --upgrade) so pip reliably installs a non-vulnerable setuptools version.
| RUN pip3 install setuptools>=65.5.1 | |
| RUN pip3 install --upgrade 'setuptools>=65.5.1' |
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
d575cf7 to
0bf76a8
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
0bf76a8 to
cb6b282
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| # Since gnxi were generated with proto 3.x we need to regenerate _pb2 with the new proto version | ||
| RUN cd gnxi \ | ||
| && quilt push -a | ||
| && quilt push -a \ | ||
| && cd gnmi_cli_py \ | ||
| && wget -q -O gnmi_ext.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi_ext/gnmi_ext.proto \ | ||
| && wget -q -O gnmi.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi/gnmi.proto \ | ||
| && sed -i 's|github.com/openconfig/gnmi/proto/gnmi_ext/gnmi_ext.proto|gnmi_ext.proto|' gnmi.proto \ | ||
| && python -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. gnmi_ext.proto gnmi.proto \ | ||
| && rm -f gnmi.proto gnmi_ext.proto |
There was a problem hiding this comment.
The gnxi/gnmi_cli_py installation differs by PTF_ENV_PY_VER: in the else branch (non-"mixed", including the default bookworm/py3 image) the Dockerfile no longer runs pip install -r requirements.txt. That means gnmi_cli_py dependencies won't be installed, and the gNMI client setup will likely be incomplete even though the proto stubs are regenerated. Add the requirements installation back in this branch (before/after regenerating the stubs as appropriate).
| # Security fixes: upgrade vulnerable system packages (S360 scan remediation) | ||
| RUN apt-get update && apt-get install -y --only-upgrade \ | ||
| telnet \ | ||
| inetutils-telnet \ | ||
| && rm -rf /var/lib/apt/lists/* |
There was a problem hiding this comment.
This block introduces another apt-get update + upgrade step, but earlier in the Dockerfile the image already runs apt-get upgrade and apt-get dist-upgrade before installing packages. Keeping an extra upgrade layer here is redundant and increases build time/layer count; consider removing it or folding the needed package remediation into the first apt step.
| && wget -q -O gnmi_ext.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi_ext/gnmi_ext.proto \ | ||
| && wget -q -O gnmi.proto https://raw.githubusercontent.com/openconfig/gnmi/master/proto/gnmi/gnmi.proto \ | ||
| && sed -i 's|github.com/openconfig/gnmi/proto/gnmi_ext/gnmi_ext.proto|gnmi_ext.proto|' gnmi.proto \ | ||
| && python -m grpc_tools.protoc -I. --python_out=. --grpc_python_out=. gnmi_ext.proto gnmi.proto \ |
There was a problem hiding this comment.
This branch downloads gnmi.proto and gnmi_ext.proto directly from the openconfig/gnmi master branch at build time. That makes builds non-reproducible and introduces supply-chain risk (content can change without notice). Please pin these downloads to a specific commit/tag (and ideally verify with a checksum) or vendor the proto files in-repo.
|
/azpw run |
|
/AzurePipelines run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Austin Pham <austinpham@microsoft.com>
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
cb6b282 to
8299cef
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Why I did it After #25876, there are still some left over vulnerabilities. Majority is gnoic and go library. Some new introduces by the upgrade of protobuf==6.31.1. This PR will try to address them Signed-off-by: Austin Pham <austinpham@microsoft.com>
Why I did it
Due to the recent s360 vulnerability reports. This PR is needed to address the problems. We have vulnerability in the follow image:
Work item tracking
How I did it
Apply the recommended version from security report
How to verify it
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)