I’ve been working over the last while to get Octopus server (running on Windows) in our PCI environment migrated to the latest linux container version 2023.2.12513. This will come to completion this week when we move off a hotfix version on to the main release train. (Older tickets document this journey).
As part of PCI, we are required to have vulnerability scans of all software we run in PCI, and to facilitate this we have a simple AWS CodeBuild that builds the following Dockerfile and pushes into our private ECR that we then scan with Snyk Container:
# syntax=docker/dockerfile:1.4
FROM octopusdeploy/octopusdeploy:2023.2.12513
RUN apt update && apt upgrade -y
Scans of this image have a number of critical, high and medium issues. I’ve attached an export of this report which has CVE details. I’ve reviewed advisories.octopus.com for these CVEs but cannot find them listed.
Would someone be able to review the list and indicate if these CVEs will be addressed or if they are even relevant to OctopusServer? I can use this information to document Compensating Controls that will keep our PCI auditor happy.
Thanks for reaching out. We base our images on the latest mcr.microsoft.com/dotnet/runtime-deps:6.0 docker container as part of our build process. This should be up-to-date with security patches from the upstream baselayers. As such, we typically don’t do additional updates on those containers
Looking at the list provided:
Samba: Octopus does not use samba in its normal operation.
Curl: We do use curl as part of our image creation (to install docker etc.), but this should be the most recent version available in apt - you can see the command in the layer details here: Docker
Docker: We pull down the latest stable docker as part of our container creation. Octopus can use this to run execution containers on the server itself. This functionality can be toggled with the DISABLE_DIND env var. You can find more information on this in our blog here: Introducing the Octopus Server Linux Docker image - Octopus Deploy
I’ll dig into this some more on my end as well, and see if there are additional updates we can perform to try and resolve these red flags.
Hi Justin!
Thanks for picking up this ticket - I realize it’s tedious to review all of these…
Re DISABLE_DND - I actually had this env set for our custom tentacle image, I’m an idiot for not spotting that it was also relevant to OctoServer. I will set this to Y in our custom build. As the feature would be disabled, am I correct that this mitigates all the vulnerabilities related to containerd and docker-buildx? If so, I can get snyk to permanently ignore the related vulnerabilities
Re Samba - thanks for the confirmation: I will get snyk to permanently ignore the related vulnerabilities.
The remaining 1xcritical, 2xhigh and 1xmedium all relate to curl/libcurl4 that seems to have been pulled in by python3-pycurl 7.43. All of the risks are “Cleartext Transmission of Sensitive Information”.
I’m guessing that curl itself is not used by octopus during normal operation, and I’m also guessing that python3-pycurl is also not used?