glamorous-cpu-22971
01/11/2023, 3:46 PM2.7
. I think that our security scanner detected a version of the Python wheel
in package in the PEX application binary with the security vulnerability… apparently all versions of wheel
below 0.38.1
have this vulnerability.
When I built the PEX binary with Pants 2.7
: wheel
version 0.36.2
was detected.
When I built the PEX binary with Pants 2.14
: wheel
version 0.37.1
was detected.
I changed as little as possible in the Python application and configuration when upgrading the Pants versions (but I did have to make some small changes as a result of the API / CLI changes between the two Pants versions). I’m reasonably certain that the increase in wheel
version was due to the Pants upgrade, having gone to some pains to rule out other factors.
My question is: is there any way I can ask Pants to embed a newer version of the wheel
package that replaces these older versions in the PEX
binary? Is there any other information I could give that would help shed any more light on this issue?
Thanks in advance for taking a gander!enough-analyst-54434
01/11/2023, 4:25 PMglamorous-cpu-22971
01/11/2023, 4:48 PMhappy-kitchen-89482
01/11/2023, 4:56 PMglamorous-cpu-22971
01/11/2023, 5:01 PMhappy-kitchen-89482
01/11/2023, 5:48 PMhappy-kitchen-89482
01/11/2023, 5:49 PMhappy-kitchen-89482
01/11/2023, 5:49 PMglamorous-cpu-22971
01/11/2023, 5:56 PMenough-analyst-54434
01/11/2023, 6:06 PMglamorous-cpu-22971
01/11/2023, 6:08 PMglamorous-cpu-22971
01/11/2023, 6:09 PMglamorous-cpu-22971
01/11/2023, 6:11 PMwheel
caught by the scan (whatever it was scanning) to to go from wheel
0.36.2
-> wheel
0.37.1
.enough-analyst-54434
01/11/2023, 6:14 PMenough-analyst-54434
01/11/2023, 6:16 PMhappy-kitchen-89482
01/11/2023, 6:50 PMhappy-kitchen-89482
01/11/2023, 6:50 PMglamorous-cpu-22971
01/11/2023, 11:23 PMhappy-kitchen-89482
01/12/2023, 2:28 AM[python].pip_version
option will be available, and you can set that to use a more recent pip version, which will in turn use a more recent wheel version.happy-kitchen-89482
01/12/2023, 2:29 AMglamorous-cpu-22971
01/12/2023, 10:39 AMRUN
invocation inside a Docker container that builds our application’s .pex
binary. It seems that the security warning is raised as a result of packaging the PEX…
RUN ./pants --level=debug package /path/to/our/app:app-bin # (pex_binary target)
It seems that we use the same Docker container to both build and run the Python web application. Perhaps one potential work-around for the security issue is building the PEX binary outside of the docker container that we use to run the Python web application?happy-kitchen-89482
01/12/2023, 1:24 PMhappy-kitchen-89482
01/12/2023, 1:25 PMhappy-kitchen-89482
01/12/2023, 1:25 PMhappy-kitchen-89482
01/12/2023, 1:25 PMhappy-kitchen-89482
01/12/2023, 1:26 PMpackage
in CI or in a build-time container, capture the .pex file out of it and embed that in a production Docker imagehappy-kitchen-89482
01/12/2023, 1:27 PMenough-analyst-54434
01/12/2023, 1:53 PMglamorous-cpu-22971
01/12/2023, 2:09 PMIs the security warning … triggered when that invocation is actually runYes. The security warning is being triggered when
./pants … package
invocation is actually run. The scan points to that invocation line and not from the subsequent ENTRYPOINT
line in the Dockerfile which goes on to run the Python web app.
Say you do manage to separate build from run. Reality is still the same. If there is a real security issue at build time (there are 0 security issues here, but we’re checking boxes), is it actually ok / secure to have the CVE present at build time?@enough-analyst-54434 we are absolutely checking boxes here. I’ll raise the issue, but I’m guessing that the answer will be “our policy is to not worry about build-time, only run-time.” As for whether that’s a reasonable security posture or not, I will let The Security Professionals™ determine that. I just work here.
glamorous-cpu-22971
01/12/2023, 2:09 PMglamorous-cpu-22971
01/12/2023, 2:52 PMWith all the reported CVEs we’re mainly concerned about someone’s ability to exploit them and gain access to our infra or customer data. Typically we expect this would be achieved by interacting maliciously with running services. When a container is just used for building, and is then thrown away, there isn’t much opportunity for an attacker to insert themselves into that process.
enough-analyst-54434
01/12/2023, 4:24 PMglamorous-cpu-22971
01/16/2023, 3:40 PMhappy-kitchen-89482
01/16/2023, 4:42 PMglamorous-cpu-22971
01/16/2023, 7:59 PMSo the solution was to separate build time and runtime?That’s correct.