Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: fix security vulns #271

Merged
merged 8 commits into from
Jan 30, 2025
Merged

chore: fix security vulns #271

merged 8 commits into from
Jan 30, 2025
+35 −17

Conversation

0xawaz
Copy link
Collaborator

@0xawaz 0xawaz commented Jan 24, 2025

No description provided.

aquint-zama
aquint-zama approved these changes Jan 29, 2025
View reviewed changes
Copy link

@aquint-zama aquint-zama left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm (you could use shellcheck when adding shell to check for issues, here some double quotes are asked but seems gtg)

chilcano
chilcano reviewed Jan 29, 2025
View reviewed changes
Copy link

@chilcano chilcano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've scanned the fhevm-backend repo and it has 22 vulns reported by Trivy.

  • 15 vulns in the code base (rust, golang, etc.)
  • 7 misconfig all Dockerfiles
    • 3 misconfigs are about non-root user -> I added it to Trivy Ignore File till 2025-03-01 where they should be fixed.
    • 4 misconfig are about HEALTHCHECK -> I added it to Trivy Ignore File.

I've scanned the zama-ai/fhevm-db-migration:latest docker image and Trivy found over 3000 vulns. Like fhevm-backend repo I created its corresponding trivyignorefile.img.fhevm-db-migration.yaml and added all vulns IDs with LOW score, and other misconfis; now Trivy detected 2839 vulns.

You can update both trivy ignore files:

My recommendation is reduce as low as possible the vulns found in docker image because it has too much.
The good new is that many of them come from linux packages installed in the docker base image. If you replace that, then you will get less vulns.

@0xawaz 0xawaz changed the title chore: fix env vars in initialize script chore: fix security vulns Jan 30, 2025
@0xawaz
Copy link
Collaborator Author

0xawaz commented Jan 30, 2025

My recommendation is reduce as low as possible the vulns found in docker image because it has too much.
The good new is that many of them come from linux packages installed in the docker base image. If you replace that, then you will get less vulns.

@chilcano I upgraded rust from 1.74 to 1.83.0-slim which has only low severity vulns according to docker scout.
I also scanned it with trivy, it still shows some high vulns, some are false positive like the private keys, which is installed by cargo and set as format example in some cases.
non-root user is also fixed, I suggest to go with this version at this stage.

@0xawaz
Copy link
Collaborator Author

0xawaz commented Jan 30, 2025

lgtm (you could use shellcheck when adding shell to check for issues, here some double quotes are asked but seems gtg)

@aquint-zama shellcheck issues are fixed now

chilcano
chilcano approved these changes Jan 30, 2025
View reviewed changes
Copy link

@chilcano chilcano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes are good.

@0xawaz 0xawaz merged commit ca9abe5 into main Jan 30, 2025
3 checks passed
@0xawaz 0xawaz deleted the add-params-db-migration branch January 30, 2025 11:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aquint-zama aquint-zama aquint-zama approved these changes

@chilcano chilcano chilcano approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@0xawaz @chilcano @aquint-zama