Consider adding docker security scanner?

[fzipi]

We may want to add an action for docker security scanning:

https://github.com/phonito/phonito-scanner-action

[franbuehler]

I tried this in my fork and it works. We have vulnerabilities in our images though:

modsecurity-crs-docker
https://github.com/franbuehler/modsecurity-crs-docker/runs/1047826260?check_suite_focus=true:

Scan with Phonito Security
15s
##[error]Docker image contains vulnerabilities
Found vulnerabilities as of: Sun Aug 30 2020 14:26:14 GMT+0000 (Coordinated Universal Time)
┌──────────────────┬─────────┬──────────┬───────────────────┐
│ CVE ID           │ Product │ Severity │ Installed Version │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1387    │ git     │ HIGH     │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1348    │ git     │ LOW      │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1353    │ git     │ CRITICAL │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2020-5260    │ git     │ HIGH     │ 1:2.20.1          │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1551    │ openssl │ MEDIUM   │ 1.1.1d            │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-1000156 │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-20969   │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-6951    │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2018-6952    │ patch   │ HIGH     │ 2.7.6             │
├──────────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-20633   │ patch   │ MEDIUM   │ 2.7.6             │
└──────────────────┴─────────┴──────────┴───────────────────┘

10 vulnerabilities present owasp/modsecurity-crs:3.3-apache.
View scan details: https://phonito.io/vulnerabilities/b3dhc3AvbW9kc2VjdXJpdHktY3JzOjMuMy1hcGFjaGU=
##[error]Docker image contains vulnerabilities

I think a rebuild and push of the underlying owasp/modsecurity-docker image would already help, we have fewer vulnerabilities there:

modsecurity-docker
https://github.com/franbuehler/modsecurity-docker/runs/1047876721?check_suite_focus=true

 Scan with Phonito Security
14s
[PHONITO] Succesfully scanned image.
Run phonito/phonito-scanner-action@master
wget https://phonito-public-artifacts.azureedge.net/scanner/phonito-scanner -O /tmp/phonito-scanner --quiet
chmod +x /tmp/phonito-scanner
/tmp/phonito-scanner -i owasp/modsecurity:v2-apache --fail-level HIGH
Phonito Security scan complete!
Found vulnerabilities as of: Sun Aug 30 2020 14:58:57 GMT+0000 (Coordinated Universal Time)
┌───────────────┬─────────┬──────────┬───────────────────┐
│ CVE ID        │ Product │ Severity │ Installed Version │
├───────────────┼─────────┼──────────┼───────────────────┤
│ CVE-2019-1551 │ openssl │ MEDIUM   │ 1.1.1d            │
└───────────────┴─────────┴──────────┴───────────────────┘

1 vulnerabilities present owasp/modsecurity:v2-apache.
View scan details: https://phonito.io/vulnerabilities/b3dhc3AvbW9kc2VjdXJpdHk6djItYXBhY2hl
[PHONITO] Succesfully scanned image.

Questions:
Do we want to add a schedule to the "build and push" workflows:

• https://github.com/coreruleset/modsecurity-docker/blob/master/.github/workflows/dockerimage.yml (modsecurity-docker)
• https://github.com/coreruleset/modsecurity-crs-docker/blob/master/.github/workflows/buildimage.yml (modsecurity-crs-docker)
  Like once a week so that we always have new images with no vulnerabilites?

And do we want to extend the build and push with this security scan?

[bittner]

Adding a scheduled scan makes certainly sense. We should then only trigger rebuilding the image when necessary, e.g. when vulnerabilities were found.

[fzipi]

This looks cool @franbuehler ! I think @bittner has a point in just creating a new one only when something is found. Do you need additional help with setting it up?

[bittner]

Whatever you can do that brings us forward is super-welcome!

We, at @vshn, would still need to invest time to verify the 4 main images (owasp/modsecurity:apache, owasp/modsecurity-crs:apache, and owasp/modsecurity:nginx, owasp/modsecurity-crs:nginx) in Production. We still maintain derivatives of our own image based on CRS 3.1, which is somewhat the "mother" of the changes we applied to the current images. I see some work ahead to align the last bits we might have overlooked when taking over our current features.

[franbuehler]

Thank you @fzipi and @bittner
Ok, I'll try to implement this (when I find some time).

And yes, then we should investigate which changes are still missing in our official images and what else needs to be done.

[bittner]

Relates to coreruleset/modsecurity-docker#43.

[MitchellCash]

Relates to coreruleset/modsecurity-docker#43.

I also just ran a trivy scan against owasp/modsecurity-crs:v3.3.2-nginx and it returned:

owasp/modsecurity-crs:v3.3.2-nginx (debian 10.10)
=================================================
Total: 323 (UNKNOWN: 0, LOW: 215, MEDIUM: 45, HIGH: 55, CRITICAL: 8)

Now that modsecurity-docker has moved to Alpine it would be nice to see modsecurity-crs-docker also move from Debian to Alpine.

NGINX maintain both Debian and Alpine images, so hopefully this is not a large increase in maintenance burden as we can still rely on default upstream images.

[fzipi]

@MitchellCash Can you run it again now that we have alpine images? We still need to run this in a pipeline.

[MitchellCash]

@fzipi Alpine based image looks good to me on the initial trivy scan (also the image is almost half the size)! Nice work!

Debian based image

owasp/modsecurity-crs:3.3.2-nginx (debian 11.1)
===============================================
Total: 232 (UNKNOWN: 0, LOW: 156, MEDIUM: 43, HIGH: 24, CRITICAL: 9)

Alpine based image 🥳

owasp/modsecurity-crs:3.3.2-nginx-alpine (alpine 3.14.3)
========================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

[fzipi]

Good, this matches my own tests. I don't think we can do too much in the debian image (I've checked a couple criticals, and they are still there :/ ).