almet/dangerzone
1
0
Fork 0
mirror of https://github.com/freedomofpress/dangerzone.git synced 2025-04-28 18:02:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

ci: Scan the latest image for CVEs

Browse source 
Update the Debian snapshot date to the current one, so that we always
scan the latest image for CVEs.

Refs #1057
This commit is contained in:
Alex Pyrgiotis 2025-01-21 21:01:04 +02:00
parent 0ce7773ca1
commit 5d49f5abdb
No known key found for this signature in database
GPG key ID: B6C15EBA0357C9AA
2 changed files with 40 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.github/workflows/scan.yml vendored
View file

@ -21,13 +21,17 @@ jobs:
sudo apt install pipx sudo apt install pipx
pipx install poetry pipx install poetry
pipx inject poetry poetry-plugin-export pipx inject poetry poetry-plugin-export
poetry install --only package
- name: Bump date of Debian snapshot archive
run: |
date=$(date "+%Y%m%d")
sed -i "s/DEBIAN_ARCHIVE_DATE=[0-9]\+/DEBIAN_ARCHIVE_DATE=${date}/" Dockerfile.env
make Dockerfile
- name: Build container image - name: Build container image
run: python3 ./install/common/build-image.py --runtime docker --no-save run: python3 ./install/common/build-image.py --runtime docker --no-save
- name: Get image tag - name: Get image tag
id: tag id: tag
run: | run: echo "tag=$(cat share/image-id.txt)" >> $GITHUB_OUTPUT
tag=$(docker images dangerzone.rocks/dangerzone --format '{{ .Tag }}')
echo "tag=$tag" >> $GITHUB_OUTPUT
# NOTE: Scan first without failing, else we won't be able to read the scan # NOTE: Scan first without failing, else we won't be able to read the scan
# report. # report.
- name: Scan container image (no fail) - name: Scan container image (no fail)

38
.grype.yaml
View file

@ -2,10 +2,38 @@
# latest release of Dangerzone, and offer our analysis. # latest release of Dangerzone, and offer our analysis.
ignore: ignore:
# CVE-2024-11053 # CVE-2023-45853
# ============== # ==============
# #
# NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-11053 # Debian tracker: https://security-tracker.debian.org/tracker/CVE-2023-45853
# Verdict: Dangerzone is not affected because libcurl is an HTTP client, and # Verdict: Dangerzone is not affected because the zlib library in Debian is
# the Dangerzone container does not make any network calls. # built in a way that is not vulnerable.
- vulnerability: CVE-2024-11053 - vulnerability: CVE-2023-45853
# CVE-2024-38428
# ==============
#
# Debian tracker: https://security-tracker.debian.org/tracker/CVE-2024-38428
# Verdict: Dangerzone is not affected because it doesn't use wget in the
# container image (which also has no network connectivity).
- vulnerability: CVE-2024-38428
# CVE-2024-57823
# ==============
#
# Debian tracker: https://security-tracker.debian.org/tracker/CVE-2024-57823
# Verdict: Dangerzone is not affected. First things first, LibreOffice is
# using this library for parsing RDF metadata in a document [1], and has
# issued a fix for the vendored raptor2 package they have for other distros
# [2].
#
# On the other hand, the Debian security team has stated that this is a minor
# issue [3], and there's no fix from the developers yet. It seems that the
# Debian package is not affected somehow by this CVE, probably due to the way
# it's packaged.
#
# [1] https://wiki.documentfoundation.org/Documentation/DevGuide/Office_Development#RDF_metadata
# [2] https://cgit.freedesktop.org/libreoffice/core/commit/?id=2b50dc0e4482ac0ad27d69147b4175e05af4fba4
# [2] From https://security-tracker.debian.org/tracker/CVE-2024-57823:
#
# [bookworm] - raptor2 <postponed> (Minor issue, revisit when fixed upstream)
#
- vulnerability: CVE-2024-57823