Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest version (v1.97.4) uses an old version of Terraform with critical vulns #835

Open
davidarcher opened this issue Mar 13, 2025 · 4 comments
Open

Latest version (v1.97.4) uses an old version of Terraform with critical vulns #835

davidarcher opened this issue Mar 13, 2025 · 4 comments
Labels
area/docker feature New feature or request

Comments

@davidarcher
Copy link

davidarcher commented Mar 13, 2025
edited
Loading

Describe the bug

The latest docker image (v1.97.4) is failing vuln scans due to old versions of Terraform (v1.10.5) and other tools that contain fixable vulnerabilities.

How can we reproduce it?

✔ docker run --rm --entrypoint bash -it ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
301615486d44:/# terraform version
Terraform v1.10.5
on linux_amd64

Your version of Terraform is out of date! The latest version
is 1.11.2. You can update by downloading from https://www.terraform.io/downloads.html
301615486d44:/#
docker run -e REGISTRY_AUTH_FILE=/root/.docker/config.json -v /tmp/retag.OPhdEa:/root/.docker -v /var/run/docker.sock:/var/run/docker.sock -v /root/.wiz:/root/.wiz --rm wizcli:latest docker scan --file-hashes-scan --policy Block-Critical-Vulnerabilities-ECR-Image-Import --policy-hits-only --image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
  | _            _ _
  | __      _(_)____   ___\| (_)
  | \ \ /\ / / \|_  /  / __\| \| \|
  | \ V  V /\| \|/ /  \| (__\| \| \|
  | \_/\_/ \|_/___\|  \___\|_\|_\|
  | Preparing to scan Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
  | Creating temporary directory for image
  | Getting scan parameters
  | SUCCESS: Ready to scan Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4
  | Scanning Docker image ghcr.io/antonbabenko/pre-commit-terraform@sha256:78e1f8261fce4d569c07f486407ecfc326d3778f1a2154b51c8927ee6934dda7
  | Scanning Docker image ghcr.io/antonbabenko/pre-commit-terraform:v1.97.4 with policies Block-Malware-ECR-Image-Import, Block-Critical-Vulnerabilities-ECR-Image-Import
  | SUCCESS: Scanned Docker image
  | Uploading scan results for analysis on Wiz
  | Getting scan results
  | SUCCESS: Docker image scan analysis ready
  | OS Package vulnerabilities:
  | Name: krb5-libs, Version: 1.20.1-r0
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-37371, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-37371
  | CVSS score: 9.1, CVSS exploitability score: 3.9
  | Fixed version: 1.20.2-r1
  | Name: libexpat, Version: 2.5.0-r0
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45491, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-45491
  | CVSS score: 9.8, CVSS exploitability score: 3.9
  | Fixed version: 2.6.3-r0
  | CVE-2024-45492, Severity: CRITICAL, Source: https://security.alpinelinux.org/vuln/CVE-2024-45492
  | CVSS score: 9.8, CVSS exploitability score: 3.9
  | Fixed version: 2.6.3-r0
  |  
  | Library vulnerabilities:
  | Name: mkdocs-material, Version: 8.2.14, Path: /root/.terrascan/docs/requirements.txt
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2023-50447, Severity: CRITICAL, Source: https://data.safetycli.com/v/64496/52d
  | CVSS score: 8.1, CVSS exploitability score: 2.2
  | Fixed version: 9.5.5
  | Name: golang.org/x/crypto, Version: 0.0.0-20220525230936-793ad666bf5e, Path: /root/.terrascan/go.mod
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: github.com/go-git/go-git/v5, Version: 5.11.0, Path: /usr/bin/infracost
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2025-21613, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v725-9546-7q7m
  | Fixed version: 5.13.0
  | Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/bin/terraform
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: golang.org/x/crypto, Version: 0.27.0, Path: /usr/bin/terraform-docs
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: golang.org/x/crypto, Version: 0.0.0-20220525230936-793ad666bf5e, Path: /usr/bin/terrascan
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  | Name: golang.org/x/crypto, Version: 0.1.0, Path: /usr/bin/tfupdate
  | Failed policy: Block-Critical-Vulnerabilities-ECR-Image-Import
  | CVE-2024-45337, Severity: CRITICAL, Source: https://github.com/advisories/GHSA-v778-237x-gjrc
  | Fixed version: 0.31.0
  |  
  |  
@davidarcher davidarcher added area/docker bug Something isn't working labels Mar 13, 2025
@davidarcher davidarcher changed the title Latest version (v1.97.4) uses an old version of Terraform Please release a new version that includes the latest version of Terraform Mar 13, 2025
@davidarcher davidarcher changed the title Please release a new version that includes the latest version of Terraform Latest version (v1.97.4) uses an old version of Terraform with critical vulns Mar 13, 2025
@yermulnik yermulnik mentioned this issue Mar 13, 2025
Merged
@yermulnik
Copy link
Collaborator

@davidarcher Thanks for bringing this up. I created #836 for this.

@MaxymVlasov
Copy link
Collaborator

MaxymVlasov commented Mar 20, 2025
edited
Loading

The latest docker image (v1.97.4) is failing vuln scans due to old versions of Terraform (v1.10.5) and other tools that contain fixable vulnerabilities.

As expected. See #724 (comment) for details

If you want to create a new tag each time when any of tools release their new version - check #724 (comment)

If you have any other ideas how to make it work in idempotent or any other way except triggering hooks release each time or committing to support multiply versions at once - please let me know.

In theory, we could build <pre-commit-terraform version>-latest every week for latest, or few latest hooks versions depending on some condition, but it still latest so not make big difference from nightly which we already have.

P.S. hashicorp doesn't think that this vuln scan make any sense, otherwise they will be already backpush such changes to 1.10.6 to deal with that vuln.
https://github.com/hashicorp/terraform/tags

@yermulnik your PR totally make sense, but it is not related to this issue (as it not deal with root cause)

@MaxymVlasov MaxymVlasov removed the bug Something isn't working label Mar 20, 2025
@yermulnik
Copy link
Collaborator

yermulnik commented Mar 20, 2025
edited
Loading

@yermulnik your PR totally make sense, but it is not related to this issue (as it not deal with root cause)

Yep, thanks. I might had worded not clear enough: my PR was not to fix root cause, but to trigger rebuild of the container image (which sort of indirectly resolves this PR) 👍🏻

@MaxymVlasov
Copy link
Collaborator

As another "hotfix", I will add docs to same PR that we are not responsible for issues in 3rd party, and that's users responsibility to manage their environment and dependencies if they want to use specific versions and not nightly, as I see that it's not obvious enough

@MaxymVlasov MaxymVlasov added the feature New feature or request label Mar 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/docker feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davidarcher @yermulnik @MaxymVlasov