Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade container image with included dependencies #80

Open
rwenz3l opened this issue Feb 7, 2024 · 7 comments
Open

Upgrade container image with included dependencies #80

rwenz3l opened this issue Feb 7, 2024 · 7 comments

Comments

@rwenz3l
Copy link

rwenz3l commented Feb 7, 2024

As mentioned in #79, I found that the containers are quite old and use Debian 11.7 and Go 1.20.6.

It would be very much appreciated if you could upgrade the container image itself, as well as the used toolchain for it, mainly for security reasons.

Go1.22 is now released, which marks 1.20 as no longer supported. I'm sure there is also a bunch of dependencies used with the connect-server, which may contain vulnerabilities.

The docker images appears to be using a debian base-image at version 11.7, 11.8 was released in October 2023.
@onedr0p
Copy link

onedr0p commented Jun 27, 2024

@jpcoenen @ag-adampike @verkaufer any chance someone from the 1password team can take a look at this!?

@onedr0p
Copy link

onedr0p commented Jun 28, 2024
edited
Loading

I scanned the docker image with trivy and discovered this

1password/connect-api:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)

    bin/connect-api (gobinary)
    Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 16, HIGH: 4, CRITICAL: 1)

1password/connect-sync:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)

    bin/connect-sync (gobinary)
    Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 4, CRITICAL: 1)

There are quite a bit of these that could be resolved by updating deps, also I don't see why these containers cannot use scratch or distroless containers instead of debian which would lessen the attack surface.

Will the 1Password team ever address these vulnerabilities?

@onedr0p
Copy link

onedr0p commented Jun 28, 2024

cc @ag-rdoucette

@rwenz3l
Copy link
Author

rwenz3l commented Jun 28, 2024

There has been no activity in this Repository for quite a while. I feel like the people at 1Password are simply focusing on other things. I'm not sure how many people have this deployed, but IMO it's a security risk running this as it is today.
I stopped bothering with the connector due to the inactivity and use vault instead.

@onedr0p
Copy link

onedr0p commented Jun 28, 2024
edited
Loading

Yeah I got that impression as well. It's a bummer they ignore this and are flakey supporting their OSS projects overall. Hopefully something changes and they have time to focus on their public facing projects someday.

@edif2008
Copy link
Member

edif2008 commented Jul 2, 2024

Hey folks! 👋🏻

Thank you for your patience and for expressing your concerns.

I'm happy to announce that we've just released Connect 1.7.3, which updates the dependencies and the images used to build Connect.
Let me know if you have any other questions.

@onedr0p
Copy link

onedr0p commented Jul 2, 2024

Thanks @edif2008 and team!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@onedr0p @rwenz3l @edif2008