diff --git a/labs/lab7/analysis/deployment-comparison.txt b/labs/lab7/analysis/deployment-comparison.txt new file mode 100644 index 00000000..8cf24906 --- /dev/null +++ b/labs/lab7/analysis/deployment-comparison.txt @@ -0,0 +1,36 @@ +=== Functionality Test === +Default: HTTP 200 +Hardened: HTTP 200 +Production: HTTP 200 + +=== Resource Usage === +NAME CPU % MEM USAGE / LIMIT MEM % +juice-default 2.21% 173.2MiB / 3.827GiB 4.42% +juice-hardened 0.53% 109.7MiB / 512MiB 21.42% +juice-production 0.45% 98.17MiB / 512MiB 19.17% + +=== Security Configurations === + +Container: juice-default +CapDrop: +SecurityOpt: +Memory: 3.827GiB +CPU: 2.21% +PIDs: +Restart: no + +Container: juice-hardened +CapDrop: [ALL] +SecurityOpt: [no-new-privileges] +Memory: 512MiB +CPU: 0.53% +PIDs: +Restart: no + +Container: juice-production +CapDrop: [ALL] +SecurityOpt: [no-new-privileges seccomp=default] +Memory: 512MiB +CPU: 0.45% +PIDs: 100 +Restart: on-failure diff --git a/labs/lab7/hardening/docker-bench-results.txt b/labs/lab7/hardening/docker-bench-results.txt new file mode 100644 index 00000000..9988af21 --- /dev/null +++ b/labs/lab7/hardening/docker-bench-results.txt @@ -0,0 +1,165 @@ +# ------------------------------------------------------------------------------ +# Docker Bench for Security v1.3.4 +# +# Docker, Inc. (c) 2015- +# +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker Community Edition Benchmark v1.1.0. +# ------------------------------------------------------------------------------ + +Initializing Sun Oct 12 15:03:42 UTC 2025 + + +[INFO] 1 - Host Configuration +[WARN] 1.1 - Ensure a separate partition for containers has been created +[NOTE] 1.2 - Ensure the container host has been Hardened +[PASS] 1.3 - Ensure Docker is up to date +[INFO] * Using 27.4.0 which is current +[INFO] * Check with your operating system vendor for support and security maintenance for Docker +[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon +[INFO] * docker:x:101 +[WARN] 1.5 - Ensure auditing is configured for the Docker daemon +[INFO] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker +[INFO] * Directory not found +[INFO] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker +[INFO] * Directory not found +[INFO] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service +[INFO] * File not found +[INFO] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket +[INFO] * File not found +[INFO] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker +[INFO] * File not found +[INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json +[INFO] * File not found +[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd +[INFO] * File not found +[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc +[INFO] * File not found + + +[INFO] 2 - Docker daemon configuration +[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge +[PASS] 2.2 - Ensure the logging level is set to 'info' +[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables +[PASS] 2.4 - Ensure insecure registries are not used +[PASS] 2.5 - Ensure aufs storage driver is not used +[WARN] 2.6 - Ensure TLS authentication for Docker daemon is configured +[WARN] * Docker daemon currently listening on TCP without TLS +[INFO] 2.7 - Ensure the default ulimit is configured appropriately +[INFO] * Default ulimit doesn't appear to be set +[WARN] 2.8 - Enable user namespace support +[PASS] 2.9 - Ensure the default cgroup usage has been confirmed +[PASS] 2.10 - Ensure base device size is not changed until needed +[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled +[WARN] 2.12 - Ensure centralized and remote logging is configured +[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated) +[WARN] 2.14 - Ensure live restore is Enabled +[WARN] 2.15 - Ensure Userland Proxy is Disabled +[INFO] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed +[PASS] 2.17 - Ensure experimental features are avoided in production +[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges + + +[INFO] 3 - Docker daemon configuration files +[INFO] 3.1 - Ensure that docker.service file ownership is set to root:root +[INFO] * File not found +[INFO] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.3 - Ensure that docker.socket file ownership is set to root:root +[INFO] * File not found +[INFO] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.5 - Ensure that /etc/docker directory ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive +[INFO] * Directory not found +[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root +[INFO] * Directory not found +[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive +[INFO] * Directory not found +[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root +[INFO] * No TLS CA certificate found +[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS CA certificate found +[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root +[INFO] * No TLS Server certificate found +[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive +[INFO] * No TLS Server certificate found +[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root +[INFO] * No TLS Key found +[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400 +[INFO] * No TLS Key found +[WARN] 3.15 - Ensure that Docker socket file ownership is set to root:docker +[WARN] * Wrong ownership for /var/run/docker.sock +[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive +[INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root +[INFO] * File not found +[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive +[INFO] * File not found +[INFO] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root +[INFO] * File not found +[INFO] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive +[INFO] * File not found + + +[INFO] 4 - Container Images and Build File +[INFO] 4.1 - Ensure a user for the container has been created +[INFO] * No containers running +[NOTE] 4.2 - Ensure that containers use trusted base images +[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container +[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches +[WARN] 4.5 - Ensure Content trust for Docker is Enabled +[WARN] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image +[WARN] * No Healthcheck found: [snyk/snyk:docker] +[WARN] * No Healthcheck found: [bridgecrew/checkov:latest] +[WARN] * No Healthcheck found: [checkmarx/kics:latest] +[WARN] * No Healthcheck found: [bkimminich/juice-shop:v19.0.0] +[WARN] * No Healthcheck found: [sh3b0/renderer:v2] +[WARN] * No Healthcheck found: [nginx:alpine] +[WARN] * No Healthcheck found: [aquasec/tfsec:latest] +[WARN] * No Healthcheck found: [goodwithtech/dockle:latest] +[WARN] * No Healthcheck found: [tenable/terrascan:latest] +[INFO] 4.7 - Ensure update instructions are not use alone in the Dockerfile +[INFO] * Update instruction found: [snyk/snyk:docker] +[INFO] * Update instruction found: [bridgecrew/checkov:latest] +[INFO] * Update instruction found: [checkmarx/kics:latest] +[INFO] * Update instruction found: [sh3b0/renderer:v2] +[INFO] * Update instruction found: [sh3b0/terminal:v2] +[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images +[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile +[INFO] * ADD in image history: [snyk/snyk:docker] +[INFO] * ADD in image history: [sh3b0/terminal:v2] +[INFO] * ADD in image history: [nginx:alpine] +[INFO] * ADD in image history: [aquasec/tfsec:latest] +[INFO] * ADD in image history: [goodwithtech/dockle:latest] +[INFO] * ADD in image history: [docker/docker-bench-security:latest] +[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles +[NOTE] 4.11 - Ensure verified packages are only Installed + + +[INFO] 5 - Container Runtime +[INFO] * No containers running, skipping Section 5 + + +[INFO] 6 - Docker Security Operations +[INFO] 6.1 - Avoid image sprawl +[INFO] * There are currently: 11 images +[INFO] * Only 1 out of 11 are in use +[INFO] 6.2 - Avoid container sprawl +[INFO] * There are currently a total of 1 containers, with 1 of them currently running + + +[INFO] 7 - Docker Swarm Configuration +[PASS] 7.1 - Ensure swarm mode is not Enabled, if not needed +[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm (Swarm mode not enabled) +[PASS] 7.3 - Ensure swarm services are binded to a specific host interface (Swarm mode not enabled) +[PASS] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network +[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Swarm mode not enabled) +[PASS] 7.6 - Ensure swarm manager is run in auto-lock mode (Swarm mode not enabled) +[PASS] 7.7 - Ensure swarm manager auto-lock key is rotated periodically (Swarm mode not enabled) +[PASS] 7.8 - Ensure node certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.9 - Ensure CA certificates are rotated as appropriate (Swarm mode not enabled) +[PASS] 7.10 - Ensure management plane traffic has been separated from data plane traffic (Swarm mode not enabled) + +[INFO] Checks: 74 +[INFO] Score: 5 \ No newline at end of file diff --git a/labs/lab7/scanning/dockle-results.txt b/labs/lab7/scanning/dockle-results.txt new file mode 100644 index 00000000..80686194 --- /dev/null +++ b/labs/lab7/scanning/dockle-results.txt @@ -0,0 +1,9 @@ +SKIP - DKL-LI-0001: Avoid empty password + * failed to detect etc/shadow,etc/master.passwd +INFO - CIS-DI-0005: Enable Content trust for Docker + * export DOCKER_CONTENT_TRUST=1 before docker pull/build +INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image + * not found HEALTHCHECK statement +INFO - DKL-LI-0003: Only put necessary files + * unnecessary file : juice-shop/node_modules/micromatch/lib/.DS_Store + * unnecessary file : juice-shop/node_modules/extglob/lib/.DS_Store diff --git a/labs/lab7/scanning/scout-cves.txt b/labs/lab7/scanning/scout-cves.txt new file mode 100644 index 00000000..8646ce94 --- /dev/null +++ b/labs/lab7/scanning/scout-cves.txt @@ -0,0 +1,542 @@ + + +## Overview + + │ Analyzed Image +────────────────────┼─────────────────────────────────────────── + Target │ bkimminich/juice-shop:v19.0.0 + digest │ 2a95df217ff8 + platform │ linux/arm64 + provenance │ https://github.com/juice-shop/juice-shop + │ https://github.com/juice-shop/juice-shop/blob/36870cb + vulnerabilities │ 9C 20H 23M 1L 7? + size │ 170 MB + packages │ 1004 + + +## Packages and Vulnerabilities + + 3C 0H 1M 0L vm2 3.9.17 +pkg:npm/vm2@3.9.17 + + ✗ CRITICAL CVE-2023-37903 [Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')] + https://scout.docker.com/v/CVE-2023-37903?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-37466 [Improper Control of Generation of Code ('Code Injection')] + https://scout.docker.com/v/CVE-2023-37466?s=github&n=vm2&t=npm&vr=%3C%3D3.9.19 + Affected range : <=3.9.19 + Fixed version : not fixed + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ CRITICAL CVE-2023-32314 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32314?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2023-32313 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2023-32313?s=github&n=vm2&t=npm&vr=%3C3.9.18 + Affected range : <3.9.18 + Fixed version : 3.9.18 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 1C 3H 1M 0L 1? lodash 2.4.2 +pkg:npm/lodash@2.4.2 + + ✗ CRITICAL CVE-2019-10744 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2019-10744?s=github&n=lodash&t=npm&vr=%3C4.17.12 + Affected range : <4.17.12 + Fixed version : 4.17.12 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2020-8203 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-8203?s=gitlab&n=lodash&t=npm&vr=%3C4.17.20 + Affected range : <4.17.20 + Fixed version : 4.17.20 + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + ✗ HIGH CVE-2021-23337 [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/CVE-2021-23337?s=github&n=lodash&t=npm&vr=%3C4.17.21 + Affected range : <4.17.21 + Fixed version : 4.17.21 + CVSS Score : 7.2 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H + + ✗ HIGH CVE-2018-16487 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2018-16487?s=github&n=lodash&t=npm&vr=%3C4.17.11 + Affected range : <4.17.11 + Fixed version : 4.17.11 + + ✗ MEDIUM CVE-2018-3721 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2018-3721?s=github&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N + + ✗ UNSPECIFIED GMS-2018-10 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2018-10?s=gitlab&n=lodash&t=npm&vr=%3C4.17.5 + Affected range : <4.17.5 + Fixed version : 4.17.5 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.1.0 +pkg:npm/jsonwebtoken@0.1.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 2M 0L 1? jsonwebtoken 0.4.0 +pkg:npm/jsonwebtoken@0.4.0 + + ✗ CRITICAL CVE-2015-9235 [Improper Input Validation] + https://scout.docker.com/v/CVE-2015-9235?s=github&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + ✗ HIGH CVE-2022-23539 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2022-23539?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N + + ✗ MEDIUM CVE-2022-23540 [Improper Authentication] + https://scout.docker.com/v/CVE-2022-23540?s=github&n=jsonwebtoken&t=npm&vr=%3C9.0.0 + Affected range : <9.0.0 + Fixed version : 9.0.0 + CVSS Score : 6.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L + + ✗ MEDIUM CVE-2022-23541 [Improper Restriction of Security Token Assignment] + https://scout.docker.com/v/CVE-2022-23541?s=github&n=jsonwebtoken&t=npm&vr=%3C%3D8.5.1 + Affected range : <=8.5.1 + Fixed version : 9.0.0 + CVSS Score : 5.0 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L + + ✗ UNSPECIFIED GMS-2015-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2015-4?s=gitlab&n=jsonwebtoken&t=npm&vr=%3C4.2.2 + Affected range : <4.2.2 + Fixed version : 4.2.2 + + + 1C 1H 0M 0L crypto-js 3.3.0 +pkg:npm/crypto-js@3.3.0 + + ✗ CRITICAL CVE-2023-46233 [Use of a Broken or Risky Cryptographic Algorithm] + https://scout.docker.com/v/CVE-2023-46233?s=github&n=crypto-js&t=npm&vr=%3C4.2.0 + Affected range : <4.2.0 + Fixed version : 4.2.0 + CVSS Score : 9.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N + + ✗ HIGH GMS-2020-4 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2020-4?s=gitlab&n=crypto-js&t=npm&vr=%3E%3D3.3.0%2C%3C4.0.0 + Affected range : >=3.3.0 + : <4.0.0 + Fixed version : 3.2.1, 4.0.0 + CVSS Score : 7.5 + CVSS Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P + + + 1C 0H 1M 0L minimist 0.2.4 +pkg:npm/minimist@0.2.4 + + ✗ CRITICAL CVE-2021-44906 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-44906?s=gitlab&n=minimist&t=npm&vr=%3C1.2.6 + Affected range : <1.2.6 + Fixed version : 1.2.6 + CVSS Score : 9.8 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + + ✗ MEDIUM CVE-2020-7598 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7598?s=gitlab&n=minimist&t=npm&vr=%3C1.2.2 + Affected range : <1.2.2 + Fixed version : 1.2.2 + CVSS Score : 5.6 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L + + + 1C 0H 0M 0L marsdb 0.6.11 +pkg:npm/marsdb@0.6.11 + + ✗ CRITICAL GHSA-5mrr-rgp6-x4gr [Improper Neutralization of Special Elements used in a Command ('Command Injection')] + https://scout.docker.com/v/GHSA-5mrr-rgp6-x4gr?s=github&n=marsdb&t=npm&vr=%3E%3D0.0.0 + Affected range : >=0.0.0 + Fixed version : not fixed + + + 0C 2H 1M 0L 1? moment 2.0.0 +pkg:npm/moment@2.0.0 + + ✗ HIGH CVE-2022-24785 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2022-24785?s=github&n=moment&t=npm&vr=%3C2.29.2 + Affected range : <2.29.2 + Fixed version : 2.29.2 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + + ✗ HIGH CVE-2017-18214 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2017-18214?s=github&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2016-4055 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2016-4055?s=github&n=moment&t=npm&vr=%3C2.11.2 + Affected range : <2.11.2 + Fixed version : 2.11.2 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + ✗ UNSPECIFIED GMS-2017-332 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2017-332?s=gitlab&n=moment&t=npm&vr=%3C2.19.3 + Affected range : <2.19.3 + Fixed version : 2.19.3 + + + 0C 1H 6M 0L 2? sanitize-html 1.4.2 +pkg:npm/sanitize-html@1.4.2 + + ✗ HIGH CVE-2022-25887 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25887?s=github&n=sanitize-html&t=npm&vr=%3C2.7.1 + Affected range : <2.7.1 + Fixed version : 2.7.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + ✗ MEDIUM CVE-2019-25225 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2019-25225?s=github&n=sanitize-html&t=npm&vr=%3C2.0.0-beta + Affected range : <2.0.0-beta + Fixed version : 2.0.0-beta + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2016-1000237 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2016-1000237?s=github&n=sanitize-html&t=npm&vr=%3C1.4.3 + Affected range : <1.4.3 + Fixed version : 1.4.3 + CVSS Score : 6.1 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N + + ✗ MEDIUM CVE-2024-21501 [Exposure of Sensitive Information to an Unauthorized Actor] + https://scout.docker.com/v/CVE-2024-21501?s=github&n=sanitize-html&t=npm&vr=%3C2.12.1 + Affected range : <2.12.1 + Fixed version : 2.12.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + ✗ MEDIUM CVE-2021-26540 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26540?s=github&n=sanitize-html&t=npm&vr=%3C2.3.2 + Affected range : <2.3.2 + Fixed version : 2.3.2 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2021-26539 [Improper Input Validation] + https://scout.docker.com/v/CVE-2021-26539?s=github&n=sanitize-html&t=npm&vr=%3C2.3.1 + Affected range : <2.3.1 + Fixed version : 2.3.1 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + ✗ MEDIUM CVE-2017-16016 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')] + https://scout.docker.com/v/CVE-2017-16016?s=github&n=sanitize-html&t=npm&vr=%3C%3D1.11.1 + Affected range : <=1.11.1 + Fixed version : 1.11.4 + + ✗ UNSPECIFIED GMS-2016-57 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-57?s=gitlab&n=sanitize-html&t=npm&vr=%3C%3D1.4.2 + Affected range : <=1.4.2 + Fixed version : 1.4.3 + + ✗ UNSPECIFIED GMS-2016-17 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-17?s=gitlab&n=sanitize-html&t=npm&vr=%3C1.11.4 + Affected range : <1.11.4 + Fixed version : 1.11.4 + + + 0C 1H 1M 0L socket.io 3.1.2 +pkg:npm/socket.io@3.1.2 + + ✗ HIGH GHSA-25hc-qcg6-38wj [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GHSA-25hc-qcg6-38wj?s=gitlab&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 2.5.1, 4.6.2 + CVSS Score : 7.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L + + ✗ MEDIUM CVE-2024-38355 [Improper Input Validation] + https://scout.docker.com/v/CVE-2024-38355?s=github&n=socket.io&t=npm&vr=%3E%3D3.0.0%2C%3C4.6.2 + Affected range : >=3.0.0 + : <4.6.2 + Fixed version : 4.6.2 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L 1? jws 0.2.6 +pkg:npm/jws@0.2.6 + + ✗ HIGH CVE-2016-1000223 + https://scout.docker.com/v/CVE-2016-1000223?s=github&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + CVSS Score : 8.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N + + ✗ UNSPECIFIED GMS-2016-54 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/GMS-2016-54?s=gitlab&n=jws&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 1H 0M 0L mout 1.2.4 +pkg:npm/mout@1.2.4 + + ✗ HIGH CVE-2020-7792 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2020-7792?s=gitlab&n=mout&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L braces 2.3.2 +pkg:npm/braces@2.3.2 + + ✗ HIGH CVE-2024-4068 [Excessive Platform Resource Consumption within a Loop] + https://scout.docker.com/v/CVE-2024-4068?s=github&n=braces&t=npm&vr=%3C3.0.3 + Affected range : <3.0.3 + Fixed version : 3.0.3 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L http-cache-semantics 3.8.1 +pkg:npm/http-cache-semantics@3.8.1 + + ✗ HIGH CVE-2022-25881 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2022-25881?s=github&n=http-cache-semantics&t=npm&vr=%3C4.1.1 + Affected range : <4.1.1 + Fixed version : 4.1.1 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L tar-fs 2.1.3 +pkg:npm/tar-fs@2.1.3 + + ✗ HIGH CVE-2025-59343 [Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')] + https://scout.docker.com/v/CVE-2025-59343?s=github&n=tar-fs&t=npm&vr=%3E%3D2.0.0%2C%3C2.1.4 + Affected range : >=2.0.0 + : <2.1.4 + Fixed version : 2.1.4 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L express-jwt 0.1.3 +pkg:npm/express-jwt@0.1.3 + + ✗ HIGH CVE-2020-15084 [Improper Authorization] + https://scout.docker.com/v/CVE-2020-15084?s=github&n=express-jwt&t=npm&vr=%3C%3D5.3.3 + Affected range : <=5.3.3 + Fixed version : 6.0.0 + CVSS Score : 7.7 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N + + + 0C 1H 0M 0L ws 7.4.6 +pkg:npm/ws@7.4.6 + + ✗ HIGH CVE-2024-37890 [NULL Pointer Dereference] + https://scout.docker.com/v/CVE-2024-37890?s=github&n=ws&t=npm&vr=%3E%3D7.0.0%2C%3C7.5.10 + Affected range : >=7.0.0 + : <7.5.10 + Fixed version : 7.5.10 + CVSS Score : 8.7 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N + + + 0C 1H 0M 0L ip 2.0.1 +pkg:npm/ip@2.0.1 + + ✗ HIGH CVE-2024-29415 [Server-Side Request Forgery (SSRF)] + https://scout.docker.com/v/CVE-2024-29415?s=github&n=ip&t=npm&vr=%3C%3D2.0.1 + Affected range : <=2.0.1 + Fixed version : not fixed + CVSS Score : 8.1 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H + + + 0C 1H 0M 0L multer 1.4.5-lts.2 +pkg:npm/multer@1.4.5-lts.2 + + ✗ HIGH CVE-2025-47935 [Missing Release of Memory after Effective Lifetime] + https://scout.docker.com/v/CVE-2025-47935?s=github&n=multer&t=npm&vr=%3C2.0.0 + Affected range : <2.0.0 + Fixed version : 2.0.0 + CVSS Score : 7.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + + + 0C 1H 0M 0L lodash.set 4.3.2 +pkg:npm/lodash.set@4.3.2 + + ✗ HIGH CVE-2020-8203 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2020-8203?s=github&n=lodash.set&t=npm&vr=%3E%3D3.7.0%2C%3C%3D4.3.2 + Affected range : >=3.7.0 + : <=4.3.2 + Fixed version : not fixed + CVSS Score : 7.4 + CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H + + + 0C 0H 1M 0L socket.io-parser 4.0.5 +pkg:npm/socket.io-parser@4.0.5 + + ✗ MEDIUM CVE-2023-32695 [Improper Input Validation] + https://scout.docker.com/v/CVE-2023-32695?s=github&n=socket.io-parser&t=npm&vr=%3E%3D4.0.4%2C%3C4.2.3 + Affected range : >=4.0.4 + : <4.2.3 + Fixed version : 4.2.3 + CVSS Score : 6.9 + CVSS Vector : CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N + + + 0C 0H 1M 0L tar 4.4.19 +pkg:npm/tar@4.4.19 + + ✗ MEDIUM CVE-2024-28863 [Uncontrolled Resource Consumption] + https://scout.docker.com/v/CVE-2024-28863?s=github&n=tar&t=npm&vr=%3C6.2.1 + Affected range : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L micromatch 3.1.10 +pkg:npm/micromatch@3.1.10 + + ✗ MEDIUM CVE-2024-4067 [Inefficient Regular Expression Complexity] + https://scout.docker.com/v/CVE-2024-4067?s=github&n=micromatch&t=npm&vr=%3C4.0.8 + Affected range : <4.0.8 + Fixed version : 4.0.8 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L + + + 0C 0H 1M 0L notevil 1.3.3 +pkg:npm/notevil@1.3.3 + + ✗ MEDIUM CVE-2021-23771 [Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')] + https://scout.docker.com/v/CVE-2021-23771?s=github&n=notevil&t=npm&vr=%3C%3D1.3.3 + Affected range : <=1.3.3 + Fixed version : not fixed + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N + + + 0C 0H 1M 0L base64url 0.0.6 +pkg:npm/base64url@0.0.6 + + ✗ MEDIUM GHSA-rvg8-pwq2-xj7q [Out-of-bounds Read] + https://scout.docker.com/v/GHSA-rvg8-pwq2-xj7q?s=github&n=base64url&t=npm&vr=%3C3.0.0 + Affected range : <3.0.0 + Fixed version : 3.0.0 + + + 0C 0H 1M 0L engine.io 4.1.2 +pkg:npm/engine.io@4.1.2 + + ✗ MEDIUM CVE-2022-41940 [Uncaught Exception] + https://scout.docker.com/v/CVE-2022-41940?s=github&n=engine.io&t=npm&vr=%3E%3D4.0.0%2C%3C6.2.1 + Affected range : >=4.0.0 + : <6.2.1 + Fixed version : 6.2.1 + CVSS Score : 6.5 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + + + 0C 0H 1M 0L got 8.3.2 +pkg:npm/got@8.3.2 + + ✗ MEDIUM CVE-2022-33987 + https://scout.docker.com/v/CVE-2022-33987?s=github&n=got&t=npm&vr=%3C11.8.5 + Affected range : <11.8.5 + Fixed version : 11.8.5 + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N + + + 0C 0H 1M 0L hbs 4.2.0 +pkg:npm/hbs@4.2.0 + + ✗ MEDIUM CVE-2021-32822 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] + https://scout.docker.com/v/CVE-2021-32822?s=gitlab&n=hbs&t=npm&vr=%3E%3D0 + Affected range : >=0 + Fixed version : not fixed + CVSS Score : 5.3 + CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + + + 0C 0H 0M 1L cookie 0.4.2 +pkg:npm/cookie@0.4.2 + + ✗ LOW CVE-2024-47764 [Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')] + https://scout.docker.com/v/CVE-2024-47764?s=github&n=cookie&t=npm&vr=%3C0.7.0 + Affected range : <0.7.0 + Fixed version : 0.7.0 + + + +60 vulnerabilities found in 29 packages + CRITICAL 9 + HIGH 20 + MEDIUM 23 + LOW 1 + UNSPECIFIED 7 + diff --git a/labs/lab7/scanning/snyk-results.txt b/labs/lab7/scanning/snyk-results.txt new file mode 100644 index 00000000..8ecbd9ae --- /dev/null +++ b/labs/lab7/scanning/snyk-results.txt @@ -0,0 +1,129 @@ + +Testing bkimminich/juice-shop:v19.0.0... + +Organization: scruffyscarf +Package manager: deb +Project name: docker-image|bkimminich/juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Platform: linux/arm64 +Target OS: Distroless +Licenses: enabled + +✔ Tested 10 dependencies for known issues, no vulnerable paths found. + +------------------------------------------------------- + +Testing bkimminich/juice-shop:v19.0.0... + +Tested 977 dependencies for known issues, found 30 issues. + + +Issues to fix by upgrading: + + Upgrade check-dependencies@1.1.1 to check-dependencies@2.0.0 to fix + ✗ Excessive Platform Resource Consumption within a Loop [High Severity][https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727] in braces@2.3.2 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > braces@2.3.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-UNSETVALUE-2400660] in unset-value@1.0.0 + introduced by check-dependencies@1.1.1 > findup-sync@2.0.0 > micromatch@3.1.10 > snapdragon@0.8.2 > base@0.11.2 > cache-base@1.0.1 > unset-value@1.0.0 and 4 other path(s) + + Upgrade express-jwt@0.1.3 to express-jwt@6.0.0 to fix + ✗ Authorization Bypass [High Severity][https://security.snyk.io/vuln/SNYK-JS-EXPRESSJWT-575022] in express-jwt@0.1.3 + introduced by express-jwt@0.1.3 + ✗ Directory Traversal [High Severity][https://security.snyk.io/vuln/SNYK-JS-MOMENT-2440688] in moment@2.0.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 > moment@2.0.0 + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + + Upgrade jsonwebtoken@0.4.0 to jsonwebtoken@5.0.0 to fix + ✗ Uninitialized Memory Exposure [High Severity][https://security.snyk.io/vuln/npm:base64url:20180511] in base64url@0.0.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 > base64url@0.0.6 and 3 other path(s) + ✗ Authentication Bypass [High Severity][https://security.snyk.io/vuln/npm:jsonwebtoken:20150331] in jsonwebtoken@0.1.0 + introduced by express-jwt@0.1.3 > jsonwebtoken@0.1.0 and 1 other path(s) + ✗ Forgeable Public/Private Tokens [High Severity][https://security.snyk.io/vuln/npm:jws:20160726] in jws@0.2.6 + introduced by jsonwebtoken@0.4.0 > jws@0.2.6 and 1 other path(s) + + Upgrade multer@1.4.5-lts.2 to multer@2.0.2 to fix + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10773732] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185673] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Missing Release of Memory after Effective Lifetime [High Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10185675] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + ✗ Uncaught Exception [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MULTER-10299078] in multer@1.4.5-lts.2 + introduced by multer@1.4.5-lts.2 + + Upgrade pdfkit@0.11.0 to pdfkit@0.12.2 to fix + ✗ Use of Weak Hash [High Severity][https://security.snyk.io/vuln/SNYK-JS-CRYPTOJS-6028119] in crypto-js@3.3.0 + introduced by pdfkit@0.11.0 > crypto-js@3.3.0 + + Upgrade sanitize-html@1.4.2 to sanitize-html@1.7.1 to fix + ✗ Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-1040724] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-450202] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-608086] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-6139239] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASH-73638] in lodash@2.4.2 + introduced by sanitize-html@1.4.2 > lodash@2.4.2 + + Upgrade socket.io@3.1.2 to socket.io@4.7.0 to fix + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-WS-7266574] in ws@7.4.6 + introduced by socket.io@3.1.2 > engine.io@4.1.2 > ws@7.4.6 + ✗ Uncaught Exception [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIO-7278048] in socket.io@3.1.2 + introduced by socket.io@3.1.2 + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-ENGINEIO-3136336] in engine.io@4.1.2 + introduced by socket.io@3.1.2 > engine.io@4.1.2 + + +Issues with no direct upgrade or patch: + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12704893] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + No upgrade or patch available + ✗ Server-side Request Forgery (SSRF) [High Severity][https://security.snyk.io/vuln/SNYK-JS-IP-12761655] in ip@2.0.1 + introduced by express-ipfilter@1.3.2 > ip@2.0.1 + No upgrade or patch available + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808810] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Type Confusion [High Severity][https://security.snyk.io/vuln/SNYK-JS-LIBXMLJS2-6808816] in libxmljs2@0.37.0 + introduced by libxmljs2@0.37.0 + No upgrade or patch available + ✗ Prototype Pollution [High Severity][https://security.snyk.io/vuln/SNYK-JS-LODASHSET-1320032] in lodash.set@4.3.2 + introduced by grunt-replace-json@0.1.0 > lodash.set@4.3.2 + No upgrade or patch available + ✗ Arbitrary Code Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-MARSDB-480405] in marsdb@0.6.11 + introduced by marsdb@0.6.11 + No upgrade or patch available + ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JS-SOCKETIOPARSER-5596892] in socket.io-parser@4.0.5 + introduced by socket.io@3.1.2 > socket.io-parser@4.0.5 + This issue was fixed in versions: 3.4.3, 4.2.3 + ✗ Sandbox Bypass [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5537100] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + This issue was fixed in versions: 3.9.18 + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772823] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + No upgrade or patch available + ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JS-VM2-5772825] in vm2@3.9.17 + introduced by juicy-chat-bot@0.9.0 > vm2@3.9.17 + No upgrade or patch available + + + +Organization: scruffyscarf +Package manager: npm +Target file: /juice-shop/package.json +Project name: juice-shop +Docker image: bkimminich/juice-shop:v19.0.0 +Licenses: enabled + + +Tested 2 projects, 1 contained vulnerable paths. + + + diff --git a/labs/submission7.md b/labs/submission7.md new file mode 100644 index 00000000..c69e268d --- /dev/null +++ b/labs/submission7.md @@ -0,0 +1,125 @@ +# Task 1 — Image Vulnerability & Configuration Analysis + +## Top 5 Critical Vulnerabilities + +### Vulnerability 1: +- **Severity**: CRITICAL +- **CVE ID**: CVE-2023-37903 +- **Impact**: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') +- **Affected package**: npm/vm2@3.9.17 + +### Vulnerability 2: +- **Severity**: CRITICAL +- **CVE ID**: CVE-2023-37466 +- **Impact**: Improper Control of Generation of Code ('Code Injection') +- **Affected package**: npm/vm2@3.9.17 + +### Vulnerability 3: +- **Severity**: CRITICAL +- **CVE ID**: CVE-2023-32314 +- **Impact**: - **Impact**: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') +- **Affected package**: npm/vm2@3.9.17 + +### Vulnerability 4: +- **Severity**: CRITICAL +- **CVE ID**: CVE-2019-10744 +- **Impact**: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') +- **Affected package**: npm/lodash@2.4.2 + +### Vulnerability 5: +- **Severity**: CRITICAL +- **CVE ID**: CVE-2015-9235 +- **Impact**: Improper Input Validation +- **Affected package**: npm/jsonwebtoken@0.1.0 + +## Dockle Configuration Findings + +No FATAL and WARN issues were found. + +## Security Posture Assessment + +- The Juice Shop image runs as root by default. +- Recommendations: + - Use a non-root user; + - Implement least privilege; + - Regular vulnerability scanning; + - Minimal base image; + - Multi-stage builds + - Read-only filesystem + +--- + +# Task 2 — Docker Host Security Benchmarking + +## Summary Statistics + +- **PASS**: 19 +- **WARN**: 24 +- **FAIL**: 0 +- **INFO**: 81 + +## Analysis of Failures + +No failures were found. + +--- + +# Task 3 — Deployment Security Configuration Analysis + +## Configuration Comparison Table + +| Container | juice-default | juice-hardened | juice-production | +|----------------|----------------|------------------------------------|--------------------------------------------------------| +| **CapDrop** | no value | [ALL] | [ALL] | +| **SecurityOpt** | no value | [no-new-privileges] | [no-new-privileges, seccomp=default] | +| **Memory** | 3.827GiB | 512MiB | 512MiB | +| **CPU** | 2.21% | 0.53% | 0.45% | +| **PIDs** | no value | no value | 100 | +| **Restart** | no | no | on-failure | + +## Security Measure Analysis + +- **`--cap-drop=ALL` and `--cap-add=NET_BIND_SERVIC`**: + - **What are Linux capabilities?** - Linux capabilities break down the all-or-nothing root privileges into discrete permissions. Instead of having full root access, processes can be granted specific privileges like changing file ownership, binding to privileged ports, or performing network operations. + + - **What attack vector does dropping ALL capabilities prevent?** - Dropping ALL capabilities prevents privilege escalation attacks where an attacker could use retained capabilities to perform administrative operations even if the container runs as root. + + - **Why do we need to add back `NET_BIND_SERVICE`?** - The `NET_BIND_SERVICE` capability allows binding to ports without requiring full root privileges. + + - **What's the security trade-off?** - Security benefit drastically reduces attack surface by removing unnecessary privileges. + +- **`--security-opt=no-new-privileges`**: + - **What does this flag do?** - Prevents the container process and any child processes from gaining new privileges through setuid/setgid binaries or other privilege escalation mechanisms. + + - **What type of attack does it prevent?** - Prevents privilege escalation via SUID binaries, blocks attacks that rely on programs like `sudo`, `su`, `ping` that have elevated privileges, and mitigates against kernel exploits that require privilege escalation. + + - **What type of attack does it prevent?** - Most containerized applications don't need to change privileges during runtime. Some legacy applications or specific security tools might require privilege changes. + +- **`--memory=512m` and `--cpus=1.0`**: + - **What happens if a container doesn't have resource limits?** - Containers can consume all available host memory, causing system instability. + - **What attack does memory limiting prevent?** - Memory exhaustion attacks (DoS). + - **What's the risk of setting limits too low?** - Application crashes due to out-of-memory errors. + +- **`--pids-limit=100`**: + - **What is a fork bomb?** - A **fork bomb** is a denial-of-service attack where a process repeatedly replicates itself to exhaust available process slots. + - **How does PID limiting help?** - Prevents fork bombs by limiting the total number of processes. + - **How to determine the right limit?** - Monitor normal process count during peak usage. + +- **`--restart=on-failure:3`**: + - **What does this policy do?** - Automatically restarts the container if it exits with a non-zero status code, but only up to 3 times before giving up. + - **When is auto-restart beneficial? When is it risky?** - Auto-restart is beneficial when handling transient failures, maintaining service availability,and recovering from occasional crashes. It is risky when masking underlying application issues, restarting compromised containers, and creating restart loops with configuration problems. + - **Compare `on-failure` vs `always`:** + - `on-failure` only restarts on actual failures (non-zero exit). + - `always` restarts regardless of exit code, can mask problems + +## Critical Thinking Questions + +1. **Which profile for DEVELOPMENT? Why?** - `juice-default` because faster iteration and debugging, less restrictive environment for testing, easier troubleshooting without security constraints, and full access to system resources for development tools. + +2. **Which profile for PRODUCTION? Why?** - `juice-production` because defense-in-depth with multiple security layers, resource guarantees and limits, protection against container breakout, automatic recovery from failures, and minimal attack surface. + +3. **What real-world problem do resource limits solve?** - prevents one container from starving others, there is predictable resource usage and billing, prevents single application from taking down entire host, and include limits impact of resource exhaustion attacks. + +4. **If an attacker exploits Default vs Production, what actions are blocked in Production?** - Privilege escalation (no-new-privileges), running most root-level operations (dropped capabilities), consuming all system resources (memory/CPU/PID limits), binding to arbitrary ports (only `NET_BIND_SERVICE`), and fork bombing the host (PID limits). + +5. **What additional hardening would you add?** - `--read-only` with `tmpfs` for writable directories, application-specific mandatory access control, run as different UID on host than in container, restrict network access to required ports only, use Docker secrets instead of environment variables, automated vulnerability scanning and patching, and monitor and log security-relevant events.