Merge branch 'bugfix/KASM-5264_update_libssl' into 'develop'

Resolve KASM-5264, KASM-5269, KASM-5266 Vulnerability Scanning Closes KASM-5264 See merge request kasm-technologies/internal/workspaces-core-images!150
2024-11-24 16:33:19 +01:00 · 2023-12-04 21:47:45 +00:00 · 2023-12-04 21:47:45 +00:00 · fe492f0c7b
commit fe492f0c7b
parent 995f2ef043 febdac6971
13 changed files with 245 additions and 10 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -4,12 +4,18 @@
 image: docker:24.0.6
 services:
  - docker:24.0.6-dind
+
+include:
+  - template: Code-Quality.gitlab-ci.yml
+
 stages:
  - template
  - run
+  - test
 variables:
  KASM_RELEASE: "1.14.0"
  TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.7f3582.tar.gz"
+  SCAN_CONTAINERS: "true"
 before_script:
  - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"

--- a/ci-scripts/download-trivy
+++ b/ci-scripts/download-trivy
@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -euo pipefail
+
+TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
+echo "$TRIVY_VERSION"
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+trivy_dir="${SCRIPT_DIR}/trivy"
+rm -rf $trivy_dir
+mkdir $trivy_dir
+cd $trivy_dir
+wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O - | tar -zxvf -
+
+cp "${SCRIPT_DIR}/junit.tpl" "${SCRIPT_DIR}/trivy/contrib/"
--- a/ci-scripts/gitlab-ci.template
+++ b/ci-scripts/gitlab-ci.template
@ -8,6 +8,7 @@ stages:
  - readme
  - revert
  - build
+  - scan
  - test
  - manifest
 variables:
@ -127,6 +128,68 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
  retry: 1
 {% endfor %}

+######################################
+# Vulnerability Scans                #
+######################################
+{% for IMAGE in multiImages %}
+scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
+  stage: scan
+  script:
+    - apk add bash
+    - (cd ci-scripts && bash download-trivy)
+    - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: never
+    - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
+      {% if FILE_LIMITS %}changes:
+      {% for FILE in files %}- {{ FILE }}
+      {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
+      {% endfor %}{% endif %}
+      when: always
+    - when: manual
+  needs:
+    - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
+  tags:
+    - oci-fixed-amd
+  retry: 1
+  artifacts:
+    reports:
+      junit:
+        - $CI_PROJECT_DIR/trivy-report.xml
+  parallel:
+    matrix:
+      - ARCH: [ "x86_64", "aarch64" ]
+{% endfor %}
+
+{% for IMAGE in singleImages %}
+scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
+  stage: scan
+  script:
+    - apk add bash
+    - (cd ci-scripts && bash download-trivy)
+    - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
+      when: never
+    - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
+      {% if FILE_LIMITS %}changes:
+      {% for FILE in files %}- {{ FILE }}
+      {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
+      {% endfor %}{% endif %}
+      when: always
+    - when: manual
+  needs:
+    - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
+  artifacts:
+    reports:
+      junit:
+        - $CI_PROJECT_DIR/trivy-report.xml
+  tags:
+    - oci-fixed-amd
+  retry: 1
+{% endfor %}
+
 ############################################
 # Manifest Containers if their test passed #
 ############################################
--- a/ci-scripts/junit.tpl
+++ b/ci-scripts/junit.tpl
@ -0,0 +1,31 @@
+<?xml version="1.0" ?>
+<testsuites name="trivy">
+{{- range . -}}
+{{- $failures := len .Vulnerabilities }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Vulnerabilities }}
+        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" file="{{ if .FixedVersion -}} Upgrade to {{ .FixedVersion }} {{- else -}} No solution provided  {{- end }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
+            <{{ if not .FixedVersion -}}passed{{- else if (eq .Vulnerability.Severity "CRITICAL") -}}failure{{- else if (eq .Vulnerability.Severity "HIGH") -}}error{{- else -}}skipped{{- end }}  message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }}</{{ if not .FixedVersion -}}passed{{- else if (eq .Vulnerability.Severity "CRITICAL") -}}failure{{- else if (eq .Vulnerability.Severity "HIGH") -}}error{{- else -}}skipped{{- end }}>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- $failures := len .Misconfigurations }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ range .Misconfigurations }}
+        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
+            <error message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</error>
+        </testcase>
+    {{- end }}
+    </testsuite>
+{{- end }}
+</testsuites>
--- a/ci-scripts/scan
+++ b/ci-scripts/scan
@ -0,0 +1,36 @@
+#!/bin/bash
+
+set -eo pipefail
+
+build_report() {
+  $trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
+  #$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
+}
+
+print_report_and_fail_on_vulnerabilities() {
+  $trivy_cmd --exit-code 1 "$target"
+}
+
+scan_cmd="$1"
+target="$2"
+if [[ -z "$scan_cmd" || -z "$target" ]]; then
+  echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
+  exit 1
+fi
+
+case "$scan_cmd" in
+  repo) options="--scanners config,secret,vuln" ;;
+  image) options="--scanners vuln" ;;
+  *) options="--scanners vuln,config,secret" ;;
+esac
+
+set -u
+set -x
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+trivy_dir="${SCRIPT_DIR}/trivy"
+trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-status will_not_fix,fix_deferred --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" #--ignore-unfixed --severity HIGH,CRITICAL,MEDIUM
+source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
+
+build_report
+#print_report_and_fail_on_vulnerabilities
--- a/ci-scripts/vulnerability-filter.rego
+++ b/ci-scripts/vulnerability-filter.rego
@ -0,0 +1,56 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+# Ignore unfixed low and medium
+ignore {
+    not input.FixedVersion
+    input.Severity == {"LOW", "MEDIUM"}[_]
+}
+
+# KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros
+ignore {
+    input.PkgName == "libssl1.1"
+    input.InstalledVersion == "1.1.1f-1ubuntu2.20"
+
+    # Evaluate CWE-ID
+    deny_vulnerability_ids := {
+        "CVE-2021-3449",
+        "CVE-2021-3711",
+        "CVE-2022-0778",
+        "CVE-2022-3602",
+        "CVE-2022-3786",
+        "CVE-2023-0286",
+        "CVE-2021-3712",
+        "CVE-2021-4044",
+        "CVE-2022-1292",
+        "CVE-2022-1343",
+        "CVE-2022-2068",
+        "CVE-2022-2097",
+        "CVE-2022-4203",
+        "CVE-2022-4304",
+        "CVE-2022-4450",
+        "CVE-2023-0215",
+        "CVE-2023-0216",
+        "CVE-2023-0217",
+        "CVE-2023-0401",
+        "CVE-2023-2650",
+        "CVE-2023-5363",
+        "CVE-2021-23840",
+        "CVE-2022-1434",
+        "CVE-2022-1473",
+        "CVE-2022-3358",
+        "CVE-2022-3996",
+        "CVE-2023-0464",
+        "CVE-2023-0465",
+        "CVE-2023-0466",
+        "CVE-2023-1255",
+        "CVE-2023-2975",
+        "CVE-2023-3446",
+        "CVE-2023-3817"
+    }
+
+    input.VulnerabilityID == deny_vulnerability_ids[_]
+}
--- a/4
+++ b/4
@ -41,6 +41,10 @@ ENV DISTRO=$DISTRO \
 WORKDIR $HOME
 RUN mkdir -p $HOME/Desktop

+### Setup package rules
+COPY ./src/ubuntu/install/package_rules $INST_SCRIPTS/package_rules/
+RUN bash $INST_SCRIPTS/package_rules/package_rules.sh && rm -rf $INST_SCRIPTS/package_rules/
+
 ### Install custom fonts
 COPY ./src/ubuntu/install/fonts $INST_SCRIPTS/fonts/
 RUN bash $INST_SCRIPTS/fonts/install_custom_fonts.sh && rm -rf $INST_SCRIPTS/fonts/
--- a/src/common/startup_scripts/vnc_startup.sh
+++ b/src/common/startup_scripts/vnc_startup.sh
@ -349,10 +349,12 @@ if [[ -f $PASSWD_PATH ]]; then
    echo -e "\n---------  purging existing VNC password settings  ---------"
    rm -f $PASSWD_PATH
 fi
-VNC_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_PW}', '\$5\$kasm\$'));")
-VNC_VIEW_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_VIEW_ONLY_PW}', '\$5\$kasm\$'));")
-echo "kasm_user:${VNC_PW_HASH}:ow" > $PASSWD_PATH
-echo "kasm_viewer:${VNC_VIEW_PW_HASH}:" >> $PASSWD_PATH
+#VNC_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_PW}', '\$5\$kasm\$'));")
+#VNC_VIEW_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_VIEW_ONLY_PW}', '\$5\$kasm\$'));")
+#echo "kasm_user:${VNC_PW_HASH}:ow" > $PASSWD_PATH
+#echo "kasm_viewer:${VNC_VIEW_PW_HASH}:" >> $PASSWD_PATH
+echo -e "${VNC_PW}\n${VNC_PW}\n" | kasmvncpasswd -u kasm_user -wo
+echo -e "${VNC_PW}\n${VNC_PW}\n" | kasmvncpasswd -u kasm_viewer -r
 chmod 600 $PASSWD_PATH


--- a/src/ubuntu/install/cleanup/cleanup.sh
+++ b/src/ubuntu/install/cleanup/cleanup.sh
@ -9,6 +9,9 @@ elif [[ "${DISTRO}" == @(almalinux8|almalinux9|fedora37|fedora38|oracle8|oracle9
 elif [ "${DISTRO}" == "opensuse" ]; then
  zypper clean --all
 elif [[ "${DISTRO}" == @(debian|kali|parrotos5|ubuntu) ]]; then
+  # Uninstall unneccesary/vulnerable packages
+  dpkg --purge ipp-usb #KASM-5266
+
  apt-get autoremove -y
  apt-get autoclean -y
 fi
--- a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh
+++ b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh
@ -157,7 +157,6 @@ elif [[ "${DISTRO}" == "alpine" ]] ; then
        perl-datetime-timezone \
        pixman \
        py3-xdg \
-        python3 \
        setxkbmap \
        xauth \
        xf86-video-amdgpu \
--- a/src/ubuntu/install/package_rules/package_rules.sh
+++ b/src/ubuntu/install/package_rules/package_rules.sh
@ -18,3 +18,19 @@ elif [[ "${DISTRO}" == @(centos|oracle7) ]]; then
  yum reinstall -y \
    glibc-common
 fi
+
+echo "Upgrading packages from upstream base image"
+if [[ "${DISTRO}" == @(centos|oracle7) ]] ; then
+  yum update -y
+elif [[ "${DISTRO}" == @(fedora37|fedora38|oracle8|oracle9|rockylinux9|rockylinux8|almalinux8|almalinux9) ]]; then
+  dnf upgrade -y --refresh
+elif [ "${DISTRO}" == "opensuse" ]; then
+  zypper --non-interactive patch --auto-agree-with-licenses
+elif [ "${DISTRO}" == "alpine" ]; then
+  apk update
+  apk add --upgrade apk-tools
+  apk upgrade --available
+else
+  apt-get update
+  DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
+fi
--- a/src/ubuntu/install/squid/install/install_squid.sh
+++ b/src/ubuntu/install/squid/install/install_squid.sh
@ -2,12 +2,17 @@
 set -ex

 ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g')
+if [[ "${ARCH}" == "arm64" ]]; then
+  LIBSSLURL="http://ports.ubuntu.com/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_arm64.deb"
+else
+  LIBSSLURL="http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb"
+fi

 # intall squid
 SQUID_COMMIT='1149fc830c7edcb383eec390cce2beba16befde5'
 if  $(grep -q Jammy /etc/os-release) || $(grep -q Kali /etc/os-release) ; then
  wget -qO- https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/${SQUID_COMMIT}/output/kasm-squid-builder_${ARCH}.tar.gz | tar -xzf - -C /
-  wget https://kasm-ci.s3.amazonaws.com/libssl1.1.${ARCH}.deb
+  wget ${LIBSSLURL} -O libssl1.1.${ARCH}.deb
  dpkg -i libssl1.1.${ARCH}.deb
  rm -f libssl1.1.${ARCH}.deb
 elif [[ "${DISTRO}" != @(centos|oracle7|oracle8|oracle9|opensuse|fedora37|fedora38|rockylinux9|rockylinux8|almalinux9|almalinux8|alpine) ]] ; then
@ -39,7 +44,7 @@ elif [[ "${DISTRO}" == @(centos|oracle7) ]]; then
 elif [[ "${DISTRO}" == "alpine" ]]; then
  apk add --no-cache openssl1.1-compat
 elif grep -q bookworm /etc/os-release; then
-  wget https://kasm-ci.s3.amazonaws.com/libssl1.1.${ARCH}.deb
+  wget ${LIBSSLURL} -O libssl1.1.${ARCH}.deb
  dpkg -i libssl1.1.${ARCH}.deb
  rm -f libssl1.1.${ARCH}.deb
 fi
--- a/src/ubuntu/install/tools/install_tools.sh
+++ b/src/ubuntu/install/tools/install_tools.sh
@ -3,12 +3,12 @@ set -e

 echo "Install some common tools for further installation"
 if [[ "${DISTRO}" == @(centos|oracle7) ]] ; then
-  yum install -y vim wget net-tools bzip2 python3 ca-certificates bc
+  yum install -y vim wget net-tools bzip2 ca-certificates bc
 elif [[ "${DISTRO}" == @(fedora37|fedora38|oracle8|oracle9|rockylinux9|rockylinux8|almalinux8|almalinux9) ]]; then
-  dnf install -y wget net-tools bzip2 python3 tar vim hostname procps-ng bc
+  dnf install -y wget net-tools bzip2 tar vim hostname procps-ng bc
 elif [ "${DISTRO}" == "opensuse" ]; then
  sed -i 's/download.opensuse.org/mirrorcache-us.opensuse.org/g' /etc/zypp/repos.d/*.repo
-  zypper install -yn wget net-tools bzip2 python3 tar vim gzip iputils bc
+  zypper install -yn wget net-tools bzip2 tar vim gzip iputils bc
 elif [ "${DISTRO}" == "alpine" ]; then
  apk add --no-cache \
    ca-certificates \