Comments (4)
We have overhauled our security scanning that occurs at build time. We added a pile of snyk actions that are now scanning both frontend and backend, docker images, libraries, and code. Previously we had been scanning just backend libraries. A number of issues were surfaced, and we have fixed a number of them. We will continue to make progress on this over time, but the framework now exists. Thank you very much, @tedpatrick ! Are you unblocked? :)
from spiff-arena.
@tedpatrick , thank you very much for the report. we definitely don't want to see security concerns stopping anyone from using Spiff. We take these issues very seriously. We've been lucky to have had the opportunity for multiple third parties to review the source code, and we have mitigated all concerns. We do run snyk in CI, https://github.com/sartography/spiff-arena/actions/runs/6509463582, but there is an obvious gap here in our security scanning automation, and we will look to close that up rapidly. In the meantime, the base image has been updated, and the resulting image has 322 fewer vulnerabilities. There is one critical vulnerability, and no high severity issues, according to docker scan. The critical vulnerability, https://security.snyk.io/vuln/SNYK-DEBIAN12-NGHTTP2-5953379, was earned through apt-get install curl
and unfortunately "There is no fixed version for Debian:12."
The Dockerfiles in question are:
- https://github.com/sartography/docker-python/blob/main/Dockerfile aka
ghcr.io/sartography/python:3.11
- https://github.com/sartography/spiff-arena/blob/main/spiffworkflow-backend/Dockerfile aka
ghcr.io/sartography/spiffworkflow-backend:latest
/ghcr.io/sartography/spiffworkflow-backend:main-2023-10-14_03-32-24
/ghcr.io/sartography/spiffworkflow-backend:v0.0.45
If you see any opportunity to improve the Dockerfiles, or if the image is still not meeting expectations, please let us know. If it would be easier to discuss synchronously, please reach out via our website or discord.
I'm going to leave this issue open until checks have been added to our CI process.
Thank you again for bringing this to our attention. 🙇
from spiff-arena.
Thanks for the great response. This is one of those hard ongoing problems.
The base python docker images are a great base but we found we got more control building it up ourselves.
# builder image.
FROM {AWS_ACC}.dkr.ecr.us-east-1.amazonaws.com/server:builder_1 as builder
COPY apps/server/api/locks/environment-linux-64.txt /locks/environment-linux-64.txt
RUN conda-lock install -p /opt/env --copy /locks/environment-linux-64.txt
# platform image.
FROM --platform=linux/amd64 debian:bookworm-slim
COPY --from=builder /opt/env /opt/env
ARG APP_DIR
ARG SHARED_DIR
ENV PATH="/opt/env/bin:${PATH}"
WORKDIR /app
# Copy the shared and application code
COPY ${SHARED_DIR} /app/shared
COPY ${APP_DIR} /app
CMD ["uvicorn", "server.app:app", "--host", "0.0.0.0", "--port", "80", "--proxy-headers"]
This one used a builder with conda-lock to build a python+deps from conda-forge, then the environment is copied into a clean base image using debian:bookworm-slim. The builder allows you to keep any dev tools out of the production image.
Builder Dockerfile:
FROM continuumio/miniconda:latest as builder
COPY /locks/environment-linux-64.txt /locks/environment-linux-64.txt
RUN conda create -p /opt/builder --copy --file /locks/environment-linux-64.txt
ENV PATH="/opt/builder/bin:${PATH}"
Builder environment.yml
name: builder
channels:
- conda-forge
- defaults
dependencies:
- conda-lock=2
- python=3.11.2
Builder build.sh for Lockfile generation - These solve the environment offline targeting specific platforms
rm -rf locks
mkdir locks
# prod linux-64
conda-lock -f environment.yml --mamba --platform linux-64 --kind explicit
mv conda-linux-64.lock ./locks/environment-linux-64.txt
Again, this is a hard problem, great to see a proactive posture around security.
Ted :)
from spiff-arena.
Updated Scan. Looks to be mostly system tools with outstanding CVEs now.
![Screenshot 2023-10-14 at 10 32 06 AM](https://private-user-images.githubusercontent.com/35942272/275247951-c5bf8b91-1635-48e3-8a06-409f67bb0af9.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjMzOTc0MjQsIm5iZiI6MTcyMzM5NzEyNCwicGF0aCI6Ii8zNTk0MjI3Mi8yNzUyNDc5NTEtYzViZjhiOTEtMTYzNS00OGUzLThhMDYtNDA5ZjY3YmIwYWY5LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA4MTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwODExVDE3MjUyNFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTMwMTZlODkyYjkxZTljZGJlYmUzNzdmZmMxZTEzZDMwODQ0Zjc4MGY0ZjYwNzFlMjk0YzVkNTBhZjcxODIyYmImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.JeHO6kkNEdXSBa4PSgmscxfFEmRu-4Q4qT49qnYUs1s)
from spiff-arena.
Related Issues (20)
- Loop back path completed items colors HOT 1
- PI Migration - when current activity's name is updated HOT 3
- MI model related error
- Call activity from another call activity - Error HOT 2
- Inclusive Gate way - 'maximum recursion depth exceeded' error HOT 2
- PI Migration - New Activity skipped HOT 2
- PI Migration - Revert missing HOT 2
- Call Activity Instance diagram related error HOT 3
- 'View process instance at the time when this task was active' feature is not working HOT 4
- Errors during model implementation are displayed differently for different properties HOT 1
- PI Migration - migration not allowed HOT 11
- PI Migration - Odd behaviour with Guest task HOT 1
- Service Task Retry Logic HOT 1
- Displaying old graphs for non-upgraded instances
- Set Permissions / Multi-Instance Support HOT 1
- Adding new users to in-flight instances HOT 16
- Some other RBAC HOT 7
- PI Migration - Active Call activity/Sub process - Pre script/Post script update (Improvement) HOT 1
- more context for call activity navigation
- Handling of BPMN Error Events
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spiff-arena.