Merge branch 'bugfix/KASM-5264_update_libssl' into 'develop'

Resolve KASM-5264, KASM-5269, KASM-5266 Vulnerability Scanning Closes KASM-5264 See merge request kasm-technologies/internal/workspaces-core-images!150
2025-06-25 22:41:47 +02:00 · 2023-12-04 21:47:45 +00:00 · 2023-12-04 21:47:45 +00:00 · fe492f0c7b
commit fe492f0c7b
parent 995f2ef043 febdac6971
13 changed files with 245 additions and 10 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -4,12 +4,18 @@
 image: docker:24.0.6
 services:
  - docker:24.0.6-dind
 include:
  - template: Code-Quality.gitlab-ci.yml
 stages:
  - template
  - run
  - test
 variables:
  KASM_RELEASE: "1.14.0"
  TEST_INSTALLER: "https://kasm-static-content.s3.amazonaws.com/kasm_release_1.14.0.7f3582.tar.gz"
  SCAN_CONTAINERS: "true"
 before_script:
  - export SANITIZED_BRANCH="$(echo $CI_COMMIT_REF_NAME | sed -r 's#^release/##' | sed 's/\//_/g')"
--- a/ci-scripts/download-trivy
+++ b/ci-scripts/download-trivy
@ -0,0 +1,14 @@
 #!/bin/bash
 set -euo pipefail
 TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
 echo "$TRIVY_VERSION"
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 trivy_dir="${SCRIPT_DIR}/trivy"
 rm -rf $trivy_dir
 mkdir $trivy_dir
 cd $trivy_dir
 wget --no-verbose "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" -O - | tar -zxvf -
 cp "${SCRIPT_DIR}/junit.tpl" "${SCRIPT_DIR}/trivy/contrib/"
--- a/ci-scripts/gitlab-ci.template
+++ b/ci-scripts/gitlab-ci.template
@ -8,6 +8,7 @@ stages:
  - readme
  - revert
  - build
  - scan
  - test
  - manifest
 variables:
@ -127,6 +128,68 @@ test_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
  retry: 1
 {% endfor %}
 ######################################
 # Vulnerability Scans                #
 ######################################
 {% for IMAGE in multiImages %}
 scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
  stage: scan
  script:
    - apk add bash
    - (cd ci-scripts && bash download-trivy)
    - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:$(arch)-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: never
    - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
      {% if FILE_LIMITS %}changes:
      {% for FILE in files %}- {{ FILE }}
      {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
      {% endfor %}{% endif %}
      when: always
    - when: manual
  needs:
    - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
  tags:
    - oci-fixed-amd
  retry: 1
  artifacts:
    reports:
      junit:
        - $CI_PROJECT_DIR/trivy-report.xml
  parallel:
    matrix:
      - ARCH: [ "x86_64", "aarch64" ]
 {% endfor %}
 {% for IMAGE in singleImages %}
 scan_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}:
  stage: scan
  script:
    - apk add bash
    - (cd ci-scripts && bash download-trivy)
    - bash ci-scripts/scan image ${ORG_NAME}/image-cache-private:x86_64-core-{{ IMAGE.name1 }}-{{ IMAGE.name2 }}-${SANITIZED_BRANCH}-${CI_PIPELINE_ID}
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"
      when: never
    - if: ($CI_COMMIT_BRANCH =~ /^release\/.*$/ || $CI_COMMIT_BRANCH == "develop" || $CI_PIPELINE_SOURCE == "schedule" || $SCAN_CONTAINERS == "true")
      {% if FILE_LIMITS %}changes:
      {% for FILE in files %}- {{ FILE }}
      {% endfor %}{% for FILE in IMAGE.changeFiles %}- {{ FILE }}
      {% endfor %}{% endif %}
      when: always
    - when: manual
  needs:
    - build_{{ IMAGE.name1 }}_{{ IMAGE.name2 }}
  artifacts:
    reports:
      junit:
        - $CI_PROJECT_DIR/trivy-report.xml
  tags:
    - oci-fixed-amd
  retry: 1
 {% endfor %}
 ############################################
 # Manifest Containers if their test passed #
 ############################################
--- a/ci-scripts/junit.tpl
+++ b/ci-scripts/junit.tpl
@ -0,0 +1,31 @@
 <?xml version="1.0" ?>
 <testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
    {{- if not (eq .Type "") }}
        <properties>
            <property name="type" value="{{ .Type }}"></property>
        </properties>
        {{- end -}}
        {{ range .Vulnerabilities }}
        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" file="{{ if .FixedVersion -}} Upgrade to {{ .FixedVersion }} {{- else -}} No solution provided  {{- end }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
            <{{ if not .FixedVersion -}}passed{{- else if (eq .Vulnerability.Severity "CRITICAL") -}}failure{{- else if (eq .Vulnerability.Severity "HIGH") -}}error{{- else -}}skipped{{- end }}  message="{{ escapeXML .Title }}" type="description">Upgrade {{ .PkgName }} to {{ .FixedVersion }} - {{ escapeXML .Description }}</{{ if not .FixedVersion -}}passed{{- else if (eq .Vulnerability.Severity "CRITICAL") -}}failure{{- else if (eq .Vulnerability.Severity "HIGH") -}}error{{- else -}}skipped{{- end }}>
        </testcase>
    {{- end }}
    </testsuite>
 {{- $failures := len .Misconfigurations }}
    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
    {{- if not (eq .Type "") }}
        <properties>
            <property name="type" value="{{ .Type }}"></property>
        </properties>
        {{- end -}}
        {{ range .Misconfigurations }}
        <testcase classname="{{ .Type }}" name="[{{ .Severity }}] {{ .ID }}" time="">
            <error message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</error>
        </testcase>
    {{- end }}
    </testsuite>
 {{- end }}
 </testsuites>
--- a/ci-scripts/scan
+++ b/ci-scripts/scan
@ -0,0 +1,36 @@
 #!/bin/bash
 set -eo pipefail
 build_report() {
  $trivy_cmd --exit-code 0 --format template --template "@/$trivy_dir/contrib/junit.tpl" -o "$source_dir/trivy-report.xml" "$target"
  #$trivy_cmd --exit-code 0 --format json -o "$source_dir/report.json" "$target"
 }
 print_report_and_fail_on_vulnerabilities() {
  $trivy_cmd --exit-code 1 "$target"
 }
 scan_cmd="$1"
 target="$2"
 if [[ -z "$scan_cmd" || -z "$target" ]]; then
  echo >&2 "Usage: $(basename "$0") <repo|image> <target>"
  exit 1
 fi
 case "$scan_cmd" in
  repo) options="--scanners config,secret,vuln" ;;
  image) options="--scanners vuln" ;;
  *) options="--scanners vuln,config,secret" ;;
 esac
 set -u
 set -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 trivy_dir="${SCRIPT_DIR}/trivy"
 trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-status will_not_fix,fix_deferred --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" #--ignore-unfixed --severity HIGH,CRITICAL,MEDIUM
 source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
 build_report
 #print_report_and_fail_on_vulnerabilities
--- a/ci-scripts/vulnerability-filter.rego
+++ b/ci-scripts/vulnerability-filter.rego
@ -0,0 +1,56 @@
 package trivy
 import data.lib.trivy
 default ignore = false
 # Ignore unfixed low and medium
 ignore {
    not input.FixedVersion
    input.Severity == {"LOW", "MEDIUM"}[_]
 }
 # KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros
 ignore {
    input.PkgName == "libssl1.1"
    input.InstalledVersion == "1.1.1f-1ubuntu2.20"
    # Evaluate CWE-ID
    deny_vulnerability_ids := {
        "CVE-2021-3449",
        "CVE-2021-3711",
        "CVE-2022-0778",
        "CVE-2022-3602",
        "CVE-2022-3786",
        "CVE-2023-0286",
        "CVE-2021-3712",
        "CVE-2021-4044",
        "CVE-2022-1292",
        "CVE-2022-1343",
        "CVE-2022-2068",
        "CVE-2022-2097",
        "CVE-2022-4203",
        "CVE-2022-4304",
        "CVE-2022-4450",
        "CVE-2023-0215",
        "CVE-2023-0216",
        "CVE-2023-0217",
        "CVE-2023-0401",
        "CVE-2023-2650",
        "CVE-2023-5363",
        "CVE-2021-23840",
        "CVE-2022-1434",
        "CVE-2022-1473",
        "CVE-2022-3358",
        "CVE-2022-3996",
        "CVE-2023-0464",
        "CVE-2023-0465",
        "CVE-2023-0466",
        "CVE-2023-1255",
        "CVE-2023-2975",
        "CVE-2023-3446",
        "CVE-2023-3817"
    }
    input.VulnerabilityID == deny_vulnerability_ids[_]
 }
--- a/4
+++ b/4
@ -41,6 +41,10 @@ ENV DISTRO=$DISTRO \
 WORKDIR $HOME
 RUN mkdir -p $HOME/Desktop
 ### Setup package rules
 COPY ./src/ubuntu/install/package_rules $INST_SCRIPTS/package_rules/
 RUN bash $INST_SCRIPTS/package_rules/package_rules.sh && rm -rf $INST_SCRIPTS/package_rules/
 ### Install custom fonts
 COPY ./src/ubuntu/install/fonts $INST_SCRIPTS/fonts/
 RUN bash $INST_SCRIPTS/fonts/install_custom_fonts.sh && rm -rf $INST_SCRIPTS/fonts/
--- a/src/common/startup_scripts/vnc_startup.sh
+++ b/src/common/startup_scripts/vnc_startup.sh
@ -349,10 +349,12 @@ if [[ -f $PASSWD_PATH ]]; then
    echo -e "\n---------  purging existing VNC password settings  ---------"
    rm -f $PASSWD_PATH
 fi
-VNC_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_PW}', '\$5\$kasm\$'));")
+#VNC_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_PW}', '\$5\$kasm\$'));")
-VNC_VIEW_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_VIEW_ONLY_PW}', '\$5\$kasm\$'));")
+#VNC_VIEW_PW_HASH=$(python3 -c "import crypt; print(crypt.crypt('${VNC_VIEW_ONLY_PW}', '\$5\$kasm\$'));")
-echo "kasm_user:${VNC_PW_HASH}:ow" > $PASSWD_PATH
+#echo "kasm_user:${VNC_PW_HASH}:ow" > $PASSWD_PATH
-echo "kasm_viewer:${VNC_VIEW_PW_HASH}:" >> $PASSWD_PATH
+#echo "kasm_viewer:${VNC_VIEW_PW_HASH}:" >> $PASSWD_PATH
 echo -e "${VNC_PW}\n${VNC_PW}\n" | kasmvncpasswd -u kasm_user -wo
 echo -e "${VNC_PW}\n${VNC_PW}\n" | kasmvncpasswd -u kasm_viewer -r
 chmod 600 $PASSWD_PATH
--- a/src/ubuntu/install/cleanup/cleanup.sh
+++ b/src/ubuntu/install/cleanup/cleanup.sh
@ -9,6 +9,9 @@ elif [[ "${DISTRO}" == @(almalinux8|almalinux9|fedora37|fedora38|oracle8|oracle9
 elif [ "${DISTRO}" == "opensuse" ]; then
  zypper clean --all
 elif [[ "${DISTRO}" == @(debian|kali|parrotos5|ubuntu) ]]; then
  # Uninstall unneccesary/vulnerable packages
  dpkg --purge ipp-usb #KASM-5266
  apt-get autoremove -y
  apt-get autoclean -y
 fi
--- a/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh
+++ b/src/ubuntu/install/kasm_vnc/install_kasm_vnc.sh
@ -157,7 +157,6 @@ elif [[ "${DISTRO}" == "alpine" ]] ; then
        perl-datetime-timezone \
        pixman \
        py3-xdg \
        python3 \
        setxkbmap \
        xauth \
        xf86-video-amdgpu \
--- a/src/ubuntu/install/package_rules/package_rules.sh
+++ b/src/ubuntu/install/package_rules/package_rules.sh
@ -18,3 +18,19 @@ elif [[ "${DISTRO}" == @(centos|oracle7) ]]; then
  yum reinstall -y \
    glibc-common
 fi
 echo "Upgrading packages from upstream base image"
 if [[ "${DISTRO}" == @(centos|oracle7) ]] ; then
  yum update -y
 elif [[ "${DISTRO}" == @(fedora37|fedora38|oracle8|oracle9|rockylinux9|rockylinux8|almalinux8|almalinux9) ]]; then
  dnf upgrade -y --refresh
 elif [ "${DISTRO}" == "opensuse" ]; then
  zypper --non-interactive patch --auto-agree-with-licenses
 elif [ "${DISTRO}" == "alpine" ]; then
  apk update
  apk add --upgrade apk-tools
  apk upgrade --available
 else
  apt-get update
  DEBIAN_FRONTEND=noninteractive apt-get upgrade -y
 fi
--- a/src/ubuntu/install/squid/install/install_squid.sh
+++ b/src/ubuntu/install/squid/install/install_squid.sh
@ -2,12 +2,17 @@
 set -ex
 ARCH=$(arch | sed 's/aarch64/arm64/g' | sed 's/x86_64/amd64/g')
 if [[ "${ARCH}" == "arm64" ]]; then
  LIBSSLURL="http://ports.ubuntu.com/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_arm64.deb"
 else
  LIBSSLURL="http://archive.ubuntu.com/ubuntu/pool/main/o/openssl/libssl1.1_1.1.1f-1ubuntu2.20_amd64.deb"
 fi
 # intall squid
 SQUID_COMMIT='1149fc830c7edcb383eec390cce2beba16befde5'
 if  $(grep -q Jammy /etc/os-release) || $(grep -q Kali /etc/os-release) ; then
  wget -qO- https://kasmweb-build-artifacts.s3.amazonaws.com/kasm-squid-builder/${SQUID_COMMIT}/output/kasm-squid-builder_${ARCH}.tar.gz | tar -xzf - -C /
-  wget https://kasm-ci.s3.amazonaws.com/libssl1.1.${ARCH}.deb
+  wget ${LIBSSLURL} -O libssl1.1.${ARCH}.deb
  dpkg -i libssl1.1.${ARCH}.deb
  rm -f libssl1.1.${ARCH}.deb
 elif [[ "${DISTRO}" != @(centos|oracle7|oracle8|oracle9|opensuse|fedora37|fedora38|rockylinux9|rockylinux8|almalinux9|almalinux8|alpine) ]] ; then
@ -39,7 +44,7 @@ elif [[ "${DISTRO}" == @(centos|oracle7) ]]; then
 elif [[ "${DISTRO}" == "alpine" ]]; then
  apk add --no-cache openssl1.1-compat
 elif grep -q bookworm /etc/os-release; then
-  wget https://kasm-ci.s3.amazonaws.com/libssl1.1.${ARCH}.deb
+  wget ${LIBSSLURL} -O libssl1.1.${ARCH}.deb
  dpkg -i libssl1.1.${ARCH}.deb
  rm -f libssl1.1.${ARCH}.deb
 fi
--- a/src/ubuntu/install/tools/install_tools.sh
+++ b/src/ubuntu/install/tools/install_tools.sh
@ -3,12 +3,12 @@ set -e
 echo "Install some common tools for further installation"
 if [[ "${DISTRO}" == @(centos|oracle7) ]] ; then
-  yum install -y vim wget net-tools bzip2 python3 ca-certificates bc
+  yum install -y vim wget net-tools bzip2 ca-certificates bc
 elif [[ "${DISTRO}" == @(fedora37|fedora38|oracle8|oracle9|rockylinux9|rockylinux8|almalinux8|almalinux9) ]]; then
-  dnf install -y wget net-tools bzip2 python3 tar vim hostname procps-ng bc
+  dnf install -y wget net-tools bzip2 tar vim hostname procps-ng bc
 elif [ "${DISTRO}" == "opensuse" ]; then
  sed -i 's/download.opensuse.org/mirrorcache-us.opensuse.org/g' /etc/zypp/repos.d/*.repo
-  zypper install -yn wget net-tools bzip2 python3 tar vim gzip iputils bc
+  zypper install -yn wget net-tools bzip2 tar vim gzip iputils bc
 elif [ "${DISTRO}" == "alpine" ]; then
  apk add --no-cache \
    ca-certificates \