Ignore many CVEs #2523
Merged
Ignore many CVEs #2523
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It affects git. Specifically through crafting a `.gitmodules` file in a particular way. This is not something that happens in the build process for the docs site.
It affects git. Specifically through using `git apply --reject` in a particular way. This is not something that happens in the build process for the docs site.
It relates to using SUID binaries. We run our containers as root, which maybe isn't the best thing, but it also makes using SUID stuff irrelevant.
It concerns Direct Rendering Manager, which is relevant for applications processing graphics data. We're building a static site, nothing to see here.
These relate to mounting f2fs filesystem images. We don't use f2fs.
It relates to OverlayFS. This is, admittedly, what Docker uses by default for volume mounting. Fortunately we don't do any volume mounting for this service in Production or build time.
It relates to an ethernet driver. That's a kernel thing, not relevant to us when we're using containers, where they don't have any concern over drivers.
We don't use openldap
We don't use Perl, and even if we do inadvertently through some package depending on it, we certainly don't use the CPAN.pm package manager.
We don't use Python. At least not directly. But assuming we do use Python unexpectedtly, the nature of the Docs site is such that we aren't attempting to parse URLs supplied by end-users anywhere. Therefore the likelihood of a malicious string to urllib.parse is extremely low.
This is quite an edge case CVE. Its risk is further reduced by the fact our container runs as root (meaning no privilege escalation in the first place). It's also a kernel-level thing, so not really relevant in a container.
|
Preview URL: https://2523--bk-docs-preview.netlify.app |
yob
reviewed
Oct 12, 2023
There was a problem hiding this comment.
It wouldn't help reduce the image size, but is there value in trying to add a step in the Dockerfile that removes the linux packages from the final image? IIRC they're used for building native extensions and not used at runtime, and it would drop 7 CVEs from the list we need to ignore
|
There probably is value. I didn't bother right now because I'd already triaged all but one of the CVEs by the time you mentioned that idea, so I figured I'll get this PR out, and then can address that idea separately. |
danstn
approved these changes
Oct 12, 2023
|
Thanks @ellsclytn
|
!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These CVEs have been assessed individually and all deemed safe to ignore. Best to view each commit for the justification behind each.