Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities in the azurelinux-3.0-net8.0-webassembly-amd64 image #1281

Open
MichaelSimons opened this issue Dec 4, 2024 · 6 comments
Open

Vulnerabilities in the azurelinux-3.0-net8.0-webassembly-amd64 image #1281

MichaelSimons opened this issue Dec 4, 2024 · 6 comments
Assignees
@sbomer
Labels
area-dockerfiles security

Comments

@MichaelSimons
Copy link
Member

@github-project-automation github-project-automation bot moved this to Backlog in .NET Docker Dec 4, 2024
@MichaelSimons
Copy link
Member Author

@sbomer - can you take a look at these vulnerabilities and try to address them? TIA.

@sbomer sbomer mentioned this issue Dec 5, 2024
Merged
sbomer added a commit that referenced this issue Dec 5, 2024
@sbomer
Update EMSDK in net8.0 image (#1283)
fbce38b 
Addresses some of the vulnerabilities in #1281.
@sbomer sbomer mentioned this issue Dec 6, 2024
Merged
@sbomer
Copy link
Member

sbomer commented Dec 6, 2024

From @akoeplinger in #1285 (comment):

None of the vulnerabilities are relevant in our case since we don't run untrusted input and aren't using nodejs in a webserver context. Do you know if we can close them as "won't fix"?

@MichaelSimons

@mthalman
Copy link
Member

mthalman commented Dec 6, 2024

No, not without going through a big exception approval process. The proper mitigation here is to update the configuration of the Dockerfile so that it doesn't reference vulnerable versions.

@sbomer
Copy link
Member

sbomer commented Dec 9, 2024

From @MichaelSimons in #1285 (comment)

None of the vulnerabilities are relevant in our case since we don't run untrusted input and aren't using nodejs in a webserver context. Do you know if we can close them as "won't fix"?

I am not familiar with the EMSDK support model. I see the version we are on is well over a year now. Will we be staying on this version for the lifetime of 8.0? This feels like a recipe for numerous vulnerabilities over it's lifetime. Requesting s360 exceptions is not feasible for these. They are going to tell us to update our dependency.

@sbomer
Copy link
Member

sbomer commented Dec 9, 2024

@akoeplinger mentioned in #1283 (comment):

@sbomer unfortunately upgrading emsdk is not as easy, the versions are not compatible. This needs to be reverted.

@akoeplinger what are the versioning requirements for our EMSDK dependency?

@akoeplinger
Copy link
Member

akoeplinger commented Dec 9, 2024
edited
Loading

#1291 will fix the issues too, except https://github.com/dotnet/dotnet-buildtools-prereqs-docker-internal/issues/240 since that one exists in the npm provided by Azure Linux through tdnf so they need to fix that upstream.

@akoeplinger what are the versioning requirements for our EMSDK dependency?

We essentially can't upgrade it as the versions are not ABI compatible and there are existing third party wasm libraries that would fail. In .NET 9+ we're using our own version of emsdk that we build in the https://github.com/dotnet/emsdk repo and ship as a nuget package, that's why we don't install Google's emsdk in the net9+ Dockerfiles anymore.

@akoeplinger akoeplinger mentioned this issue Dec 9, 2024
Merged
@lbussell lbussell removed the untriaged label Dec 9, 2024
@lbussell lbussell removed this from .NET Docker Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sbomer sbomer

Labels
area-dockerfiles security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@sbomer @akoeplinger @MichaelSimons @mthalman @lbussell