8000 Resolve minor security warnings by J12934 · Pull Request #3140 · secureCodeBox/secureCodeBox · GitHub
[go: up one dir, main page]
Skip to content

Resolve minor security warnings #3140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Reet00 merged 9 commits into from
Jul 18, 2025
Merged

Resolve minor security warnings #3140

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
e979e90
Disable script execution during npm installs
J12934 Jul 18, 2025
1552c0d
Disable service account automounting for nuclei cache jobs
J12934 Jul 18, 2025
63bfc66
Remove unused vars
J12934 Jul 18, 2025
16e3750
Resolve code smell warning
J12934 Jul 18, 2025
a39a6c8
Minor package updates
J12934 Jul 18, 2025
4923293
Update nuclei snapshots to include automountServiceAccountToken flag
J12934 Jul 18, 2025
f394796
Change file permissions so that executables are not writable
J12934 Jul 18, 2025
c22929f
Update / improve operational security of python image
J12934 Jul 18, 2025
a054157
Activate scripts for amass parser again. Needed for sqlite dependency…
J12934 Jul 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions auto-discovery/kubernetes/pull-secret-extractor/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,12 @@
#
# SPDX-License-Identifier: Apache-2.0

FROM python:3.11-alpine
FROM python:3.13-alpine

RUN addgroup -g 1001 nikto \
&& adduser -G nikto -s /bin/sh -D -u 1001 nikto
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY docker_image.py secret_extraction.py ./
CMD ["python", secret_extraction.py]
COPY --chown=root:root --chmod=755 docker_image.py secret_extraction.py ./
USER 1001
CMD ["python", "secret_extraction.py"]
2 changes: 1 addition & 1 deletion documentation/docs/contributing/integrating-a-hook/dockerfile.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ FROM node:22-alpine as build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts --ignore-scripts

FROM securecodebox/hook-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/hook-wrapper/hook/
Expand Down
2 changes: 1 addition & 1 deletion documentation/docs/contributing/integrating-a-scanner/parser-dir.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ FROM node:22-alpine as build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM securecodebox/parser-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/parser-wrapper/parser/
Expand Down
37,379 changes: 18,691 additions & 18,688 deletions documentation/package-lock.json
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion hook-sdk/nodejs/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
FROM node:22-alpine AS build
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM node:22-alpine
ARG NODE_ENV
Expand Down
2 changes: 1 addition & 1 deletion hooks/cascading-scans/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS install
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM node:22-alpine AS build
RUN mkdir -p /home/app
Expand Down
2 changes: 1 addition & 1 deletion hooks/finding-post-processing/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/hook-wrapper/hook/
Expand Down
2 changes: 1 addition & 1 deletion hooks/notification/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS install
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM node:22-alpine AS build
RUN mkdir -p /home/app
Expand Down
2 changes: 1 addition & 1 deletion hooks/persistence-defectdojo/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ WORKDIR /home/gradle/src
RUN ./gradlew build -x test

FROM gcr.io/distroless/java17-debian12:nonroot
COPY --from=build --chown=nonroot:nonroot /home/gradle/src/build/libs/defectdojo-persistenceprovider-*.jar /app/defectdojo-persistenceprovider.jar
COPY --from=build --chown=root:root --chmod=755 /home/gradle/src/build/libs/defectdojo-persistenceprovider-*.jar /app/defectdojo-persistenceprovider.jar
WORKDIR /app
# TLS Config works around an issue in OpenJDK... See: https://github.com/kubernetes-client/java/issues/854
ENTRYPOINT ["java", "-Djdk.tls.client.protocols=TLSv1.2", "-jar", "/app/defectdojo-persistenceprovider.jar"]
2 changes: 1 addition & 1 deletion hooks/persistence-elastic/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/hook-wrapper/hook/
Expand Down
2 changes: 1 addition & 1 deletion hooks/update-field-hook/hook/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM ${namespace:-securecodebox}/hook-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/hook-wrapper/hook/
Expand Down
8 changes: 0 additions & 8 deletions scanners/gitleaks/parser/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,8 @@
#
# SPDX-License-Identifier: Apache-2.0

# Commented out the dependency management as there are no dependencies in the
# parser at the moment. Add the commented-out parts of the Dockerfile again
# if the parser starts needing packages once again.
ARG namespace
ARG baseImageTag
# FROM node:22-alpine as build
# RUN mkdir -p /home/app
# WORKDIR /home/app
# COPY package.json package-lock.json ./
# RUN npm ci --omit=dev

FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/parser-wrapper/parser/
Expand Down
2 changes: 1 addition & 1 deletion scanners/ncrack/parser/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/parser-wrapper/parser/
Expand Down
4 changes: 2 additions & 2 deletions scanners/nikto/scanner/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,15 @@ FROM alpine:3.22

ENV PATH=${PATH}:/nikto

COPY wrapper.sh /wrapper.sh
COPY --chown=root:root --chmod=755 wrapper.sh /wrapper.sh

RUN apk add --update --no-cache --virtual .build-deps \
perl \
perl-net-ssleay \
&& addgroup -g 1001 nikto \
&& adduser -G nikto -s /bin/sh -D -u 1001 nikto

COPY --from=build --chown=nikto:nikto /nikto/program /nikto
COPY --from=build --chown=root:root --chmod=755 /nikto/program /nikto

USER 1001

Expand Down
2 changes: 1 addition & 1 deletion scanners/nmap/parser/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/parser-wrapper/parser/
Expand Down
2 changes: 2 additions & 0 deletions scanners/nuclei/templates/nuclei-update-cache-job.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ spec:
spec:
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
containers:
- name: nuclei
Expand Down Expand Up @@ -61,6 +62,7 @@ metadata:
spec:
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
containers:
- name: nuclei
Expand Down
2 changes: 2 additions & 0 deletions scanners/nuclei/tests/__snapshot__/scanner_test.yaml.snap
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,6 +159,7 @@ matches the snapshot:
spec:
template:
spec:
automountServiceAccountToken: false
containers:
- command:
- nuclei
Expand Down Expand Up @@ -201,6 +202,7 @@ matches the snapshot:
spec:
template:
spec:
automountServiceAccountToken: false
containers:
- command:
- nuclei
Expand Down
8 changes: 5 additions & 3 deletions scanners/ssh-audit/parser/parser.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,9 +239,11 @@ export async function parse(fileContent) {
const location = "ssh://" + destination[0];
let ipAddress = null;
let hostname = null;
isIPaddress(destination[0])
? (ipAddress = destination[0])
: (hostname = destination[0]);
if (isIPaddress(destination[0])) {
ipAddress = destination[0]
} else {
hostname = destination[0]
}

const recommendationsArray = Object.entries(report.recommendations);
const policyViolationFindings = recommendationsArray.flatMap(
Expand 379F Down
4 changes: 2 additions & 2 deletions scanners/trivy/integration-tests/trivy.test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ test(
test(
"trivy filesystem scan with exiting files should not fail",
async () => {
const { categories, severities, count } = await scan(
const { severities, count } = await scan(
"trivy-filesystem-test",
"trivy-filesystem",
["/repo/"],
Expand Down Expand Up @@ -78,7 +78,7 @@ test(
test(
"trivy repo scan with exiting repo should not fail",
async () => {
const { categories, severities, count } = await scan(
const { severities, count } = await scan(
"trivy-repo-test",
"trivy-repo",
["https://github.com/knqyf263/trivy-ci-test"],
Expand Down
2 changes: 1 addition & 1 deletion scanners/zap-automation-framework/parser/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ FROM node:22-alpine AS build
RUN mkdir -p /home/app
WORKDIR /home/app
COPY package.json package-lock.json ./
RUN npm ci --omit=dev
RUN npm ci --omit=dev --ignore-scripts

FROM ${namespace:-securecodebox}/parser-sdk-nodejs:${baseImageTag:-latest}
WORKDIR /home/app/parser-wrapper/parser/
Expand Down
Loading
0