Logstash 8.0.0触发“不安全依赖关系”警报,如何修复?

yeotifhr  于 2022-12-09  发布在  Logstash
关注(0)|答案(1)|浏览(260)

We're trying to build a Docker container that contains Logstash-8.0.0 (the latest version, came out yesterday), such that it can be scanned with Trivy and not have any "HIGH" or "CRITICAL" severity alerts.
It's proving very hard to do, as we're not proficient with Java, Ruby, or JRuby.
If we have a Dockerfile that has the Elastic repository in it:

$ cat /etc/apt/sources.list.d/elastic-8.x.list

deb https://artifacts.elastic.co/packages/8.x/apt stable main

And we install logstash:

$ sudo apt-get update
$ sudo apt-get install logstash

Then install and run trivy:

$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b .
$ sudo trivy fs -s HIGH,CRITICAL /

We get one critical and two high severity alerts, concerning ruby gems listed in /usr/share/logstash/Gemfile.lock :

usr/share/logstash/Gemfile.lock (bundler)
=========================================
Total: 3 (HIGH: 2, CRITICAL: 1)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| json     | CVE-2020-10663   | HIGH     | 1.8.6-java        | >= 2.3.0      | rubygem-json: Unsafe object           |
|          |                  |          |                   |               | creation vulnerability in JSON        |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-10663 |
+----------+------------------+----------+-------------------+               +---------------------------------------+
| kramdown | CVE-2020-14001   | CRITICAL | 1.14.0            |               | rubygem-kramdown: processing template |
|          |                  |          |                   |               | options inside documents allows       |
|          |                  |          |                   |               | unintended read access or embedded... |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-14001 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| nokogiri | CVE-2021-41098   | HIGH     | 1.12.5-java       | >= 1.12.5     | rubygem-nokogiri: XEE on JRuby        |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-41098 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

By changing the path to include the appropriate(?) directories, we can run ruby, jruby, gem and bundle:

$ export PATH=/usr/share/logstash/bin:/usr/share/logstash/vendor/jruby/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:.

But we're a bit at a loss as to what to try next. So far, it looks like editing /usr/share/logstash/Gemfile to have the right versions of json and nokogiri and commenting out the gems that are marked :development and then run bundle install; bundle update is the way to go:

diff --git a/Gemfile b/Gemfile
index 6e90ef4..1054cb3 100644
--- a/Gemfile
+++ b/Gemfile
@@ -6,7 +6,8 @@ gem "logstash-core", :path => "./logstash-core"
 gem "logstash-core-plugin-api", :path => "./logstash-core-plugin-api"
 gem "atomic", "~> 1"
 gem "builder", "~> 3"
-gem "json", "~> 1"
+gem "json", "~> 2.3.0"
+gem "nokogiri", "1.12.5"
 gem "paquet", "~> 0.2"
 gem "pleaserun", "~>0.0.28"
 gem "rake", "~> 12"
@@ -18,15 +19,6 @@ gem "gems", "~> 1", :group => :build
 gem "octokit", "~> 4", :group => :build
 gem "rubyzip", "~> 1", :group => :build
 gem "stud", "~> 0.0.22", :group => :build
-# gem "belzebuth", :group => :development
-# gem "benchmark-ips", :group => :development
-# # # gem "ci_reporter_rspec", "~> 1", :group => :development
-# gem "flores", "~> 0.0.6", :group => :development
-# gem "json-schema", "~> 2", :group => :development
-# gem "logstash-devutils", "~> 1", :group => :development
-# gem "rack-test", :require => "rack/test", :group => :development
-# gem "rspec", "~> 3.5", :group => :development
-# gem "webmock", "~> 3", :group => :development
 gem "logstash-codec-avro"
 gem "logstash-codec-cef"
 gem "logstash-codec-collectd"

But it seems that the Gemfile.lock file was created by bundler 2.3.6, which is not installed. When we installed bundler 2.3.6, it complained about an unexpected error with openssl. So, upgraded to bundler 2.3.7 (also released yesterday!), and it succeeded with bundle install . But now logstash won't run:

[FATAL] 2022-02-10 18:12:40.504 [main] Logstash - Logstash stopped 
processing because of an error: (GemNotFound) Could not find 
 logstash-filter-elasticsearch-3.11.1, 
 logstash-filter-http-1.3.0, 
 logstash-filter-kv-4.6.0, 
 logstash-input-beats-6.2.6-java,
 logstash-input-dead_letter_queue-1.1.10,
 logstash-input-http_poller-5.2.0, 
 logstash-input-sqs-3.2.0,
 logstash-input-tcp-6.2.7-java, 
 logstash-integration-elastic_enterprise_search-2.2.1, 
 logstash-integration-
 kafka-10.10.0-java, 
 logstash-output-http-5.4.0,
 logstash-output-tcp-6.0.1, 
 puma-5.6.1-java,
 jruby-openssl-0.12.1-java,
 i18n-1.9.1, 
 elasticsearch-7.17.0, 
 logstash-mixin-http_client-7.1.0,
 json-2.6.1-java, 
 redis-4.6.0, 
 logstash-mixin-aws-5.0.0, 
 elastic-enterprise-search-7.16.0, 
 sequel-5.53.0, 
 elasticsearch-api-7.17.0, 
 elasticsearch-transport-7.17.0 
in any of the sources

Edit: Figured it out! This makes logstash find the updated ruby gems:

# cd /usr/share/logstash/vendor/jruby/lib/ruby/gems/shared
# tar c . | ( cd /usr/share/logstash/vendor/bundle/jruby/2.5.0; tar x )

This makes trivy stop complaining about snakeyaml-1.23 while letting logstash keep working:

# rm /usr/share/logstash/logstash-core/lib/jars/snakeyaml-1.23.jar
# cp /usr/share/logstash/vendor/jruby/lib/ruby/stdlib/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar /usr/share/logstash/logstash-core/lib/jars

This cleans up the other trivy jar alerts:

# rm -rf ~/.m2    # Delete maven cache

Cheers!

31moq8wy

31moq8wy1#

这是一个漫长而复杂的过程,但是更新到logstash-8.0.0允许bundler-2.3.7工作,然后将gem从一个目录复制到另一个目录,让logstash实际上找到gem。
详细信息已添加到问题。
干杯!干杯!

相关问题