We're trying to build a Docker container that contains Logstash-8.0.0 (the latest version, came out yesterday), such that it can be scanned with Trivy and not have any "HIGH" or "CRITICAL" severity alerts.
It's proving very hard to do, as we're not proficient with Java, Ruby, or JRuby.
If we have a Dockerfile that has the Elastic repository in it:
$ cat /etc/apt/sources.list.d/elastic-8.x.list
deb https://artifacts.elastic.co/packages/8.x/apt stable mainAnd we install logstash:
$ sudo apt-get update
$ sudo apt-get install logstashThen install and run trivy:
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b .
$ sudo trivy fs -s HIGH,CRITICAL /We get one critical and two high severity alerts, concerning ruby gems listed in /usr/share/logstash/Gemfile.lock :
usr/share/logstash/Gemfile.lock (bundler)
=========================================
Total: 3 (HIGH: 2, CRITICAL: 1)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| json | CVE-2020-10663 | HIGH | 1.8.6-java | >= 2.3.0 | rubygem-json: Unsafe object |
| | | | | | creation vulnerability in JSON |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-10663 |
+----------+------------------+----------+-------------------+ +---------------------------------------+
| kramdown | CVE-2020-14001 | CRITICAL | 1.14.0 | | rubygem-kramdown: processing template |
| | | | | | options inside documents allows |
| | | | | | unintended read access or embedded... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-14001 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| nokogiri | CVE-2021-41098 | HIGH | 1.12.5-java | >= 1.12.5 | rubygem-nokogiri: XEE on JRuby |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-41098 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+By changing the path to include the appropriate(?) directories, we can run ruby, jruby, gem and bundle:
$ export PATH=/usr/share/logstash/bin:/usr/share/logstash/vendor/jruby/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:.But we're a bit at a loss as to what to try next. So far, it looks like editing /usr/share/logstash/Gemfile to have the right versions of json and nokogiri and commenting out the gems that are marked :development and then run bundle install; bundle update is the way to go:
diff --git a/Gemfile b/Gemfile
index 6e90ef4..1054cb3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,7 +6,8 @@ gem "logstash-core", :path => "./logstash-core"
gem "logstash-core-plugin-api", :path => "./logstash-core-plugin-api"
gem "atomic", "~> 1"
gem "builder", "~> 3"
-gem "json", "~> 1"
+gem "json", "~> 2.3.0"
+gem "nokogiri", "1.12.5"
gem "paquet", "~> 0.2"
gem "pleaserun", "~>0.0.28"
gem "rake", "~> 12"
@@ -18,15 +19,6 @@ gem "gems", "~> 1", :group => :build
gem "octokit", "~> 4", :group => :build
gem "rubyzip", "~> 1", :group => :build
gem "stud", "~> 0.0.22", :group => :build
-# gem "belzebuth", :group => :development
-# gem "benchmark-ips", :group => :development
-# # # gem "ci_reporter_rspec", "~> 1", :group => :development
-# gem "flores", "~> 0.0.6", :group => :development
-# gem "json-schema", "~> 2", :group => :development
-# gem "logstash-devutils", "~> 1", :group => :development
-# gem "rack-test", :require => "rack/test", :group => :development
-# gem "rspec", "~> 3.5", :group => :development
-# gem "webmock", "~> 3", :group => :development
gem "logstash-codec-avro"
gem "logstash-codec-cef"
gem "logstash-codec-collectd"But it seems that the Gemfile.lock file was created by bundler 2.3.6, which is not installed. When we installed bundler 2.3.6, it complained about an unexpected error with openssl. So, upgraded to bundler 2.3.7 (also released yesterday!), and it succeeded with bundle install . But now logstash won't run:
[FATAL] 2022-02-10 18:12:40.504 [main] Logstash - Logstash stopped
processing because of an error: (GemNotFound) Could not find
logstash-filter-elasticsearch-3.11.1,
logstash-filter-http-1.3.0,
logstash-filter-kv-4.6.0,
logstash-input-beats-6.2.6-java,
logstash-input-dead_letter_queue-1.1.10,
logstash-input-http_poller-5.2.0,
logstash-input-sqs-3.2.0,
logstash-input-tcp-6.2.7-java,
logstash-integration-elastic_enterprise_search-2.2.1,
logstash-integration-
kafka-10.10.0-java,
logstash-output-http-5.4.0,
logstash-output-tcp-6.0.1,
puma-5.6.1-java,
jruby-openssl-0.12.1-java,
i18n-1.9.1,
elasticsearch-7.17.0,
logstash-mixin-http_client-7.1.0,
json-2.6.1-java,
redis-4.6.0,
logstash-mixin-aws-5.0.0,
elastic-enterprise-search-7.16.0,
sequel-5.53.0,
elasticsearch-api-7.17.0,
elasticsearch-transport-7.17.0
in any of the sourcesEdit: Figured it out! This makes logstash find the updated ruby gems:
# cd /usr/share/logstash/vendor/jruby/lib/ruby/gems/shared
# tar c . | ( cd /usr/share/logstash/vendor/bundle/jruby/2.5.0; tar x )This makes trivy stop complaining about snakeyaml-1.23 while letting logstash keep working:
# rm /usr/share/logstash/logstash-core/lib/jars/snakeyaml-1.23.jar
# cp /usr/share/logstash/vendor/jruby/lib/ruby/stdlib/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar /usr/share/logstash/logstash-core/lib/jarsThis cleans up the other trivy jar alerts:
# rm -rf ~/.m2 # Delete maven cacheCheers!
1条答案
按热度按时间31moq8wy1#
这是一个漫长而复杂的过程,但是更新到logstash-8.0.0允许bundler-2.3.7工作,然后将gem从一个目录复制到另一个目录,让logstash实际上找到gem。
详细信息已添加到问题。
干杯!干杯!