Trivy found 270 vulnerability in Stable release of ZAP Container

[Krishan Gopal]

Hello All,

I am implementing ZAP DAST in GitLab pipeline.

I have used  Dockerfile-stable release to create ZAP container. Also to insure container security I am also scanning that container using Trivy. Trivy has apparently reported around 270 vulnerabilities.

I tried to edit docker file and used  "FROM ubuntu:22.10" instead of  "FROM ubuntu:20.04" to rebuild image. Container built successfully and vulnerabilities reported by Trivy dramatically came down to 8. But it gave some python errors when I run zap via full-scan.py command. Looks like  using ubuntu:22.10 broke the interdependency of packages required by Zap. 

Has anyone here faced similar issue and how did you guys try to overcome it?  Security is at high agenda in my company and I can't use any container which has got lots of vulnerabilities in it.

Krishan G

 

[Simon Bennetts]

Hi Krishan,

One of the reasons we have not updated the ZAP docker files to use ubuntu:22:10 is because from this release Firefox is installed as a snap.

This currently breaks the ajax spider and DOM XSS scan rule.

It looks like a fix for this might be coming, but its not released yet.

Cheers,

Simon

[Krishan Gopal]

One other issues I noticed with  ubuntu:22:10  was below, is it because zapcli is not compatible with newer version of ubuntu?

ERROR <class 'AttributeError'>

61   2022-09-20 12:09:49,473 Unexpected error: <class 'AttributeError'>

62   Traceback (most recent call last):

63   File "/zap/zap-baseline.py", line 504, in main

64   zap_tune(zap)

65   File "/zap/zap_common.py", line 405, in zap_tune

66    zap.pscan.disable_all_tags()

67   AttributeError: 'pscan' object has no attribute 'disable_all_tags'

[Simon Bennetts]

Hi Krishan,

See https://groups.google.com/g/zaproxy-users/c/yJA66reaRuY/m/UVnQJTmEAQAJ :)

Cheers,

Simon

[Krishan Gopal]

That's Great

Cheers

Krishan G

[tuv..@gmail.com]

Hello Simon,

Thank you for makin usefull tool. I'm asking this question because of a related topic.

I scanned the latest stable ZAP image using trivy today. The result shows 17 critical, 117 high, and 146 medium vulnerabilities.
It seems the base image has been changed from ubuntu:20.04 to debian:bullseye-slim (debian 11.7) before. However, the Debian base image has still many vulnerabilities. Do you have a plan to fix it in the future or any suggestions on how to avoid vulnerabilities?

Trivy command:
$ trivy image ghcr.io/zaproxy/zaproxy:stable

Best Regards,
Tuvshin

[Simon Bennetts]

Hi Tuvshin,

Er, to be honest, no.

We do not have the time or knowledge (or desire) to maintain a linux image.

If anyone can suggest a better image we can use then we're happy to look into that.

Otherwise my suggestion is that you try to convince the base image maintainers to fix the reported vulnerabilities.

Be aware that just because a tool reports a set of vulnerabilities it does not mean that these vulnerabilities are exploitable in any given situation.

If you believe that any of these vulnerabilities could realistically impact anyone using ZAP then please let us know asap.

Cheers,

Simon

[Tuvshin]

Thanks for explanation. 

>If anyone can suggest a better image we can use then we're happy to look into that.

I understood that the base image could be changed in the future if a better image appears or to wait for maintainers of the current base image to fix vulnerabilities.

Best Regards,
Tuvshin