Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-1931

Limit security risks in SonarQube Docker images

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:

      Description

      WHY

      We do our best to provide an application which doesn't have vulnerabilities.

      Still, with Docker, the risk can come from what is included in the image, from the base images to dependencies.

      Three kinds of potential vulnerabilities can be exposed:

      1. vulnerabilities in application dependencies, bundled with the SQ standard zip distributions.
      2. vulnerabilities in the Docker image dependencies, for instance installed tools like curl or X11 server.
      3. vulnerabilities in the kernel of the Docker image.

      With this MMF, we want to:

      • directly act on the next image to reduce as much as possible the surface of attack
      • put in place a reliable process to avoid potential vulnerabilities with the upcoming releases - this will of course benefit to our zip distribution.

      WHAT

      A process to upgrade dependencies:

      • Formalize a process, manual or automated, that ensures that dependencies are up-to-date when releasing a new version of SonarQube. Dependencies include the Java/TS 3rd-party libraries bundled with the SonarQube zip distributions, and the linux tools packaged with the Docker image.

      Audit as part of the CI process

      • Integrate a SCA (Software Composition Analysis) audit into CI pipeline
      • Enable audit of system security of the Docker image, for instance with tools like OpenSCAP, Anchore or Clair

      Act on the docker image to reduce the surface of attack

      • Use the smallest base image as possible, for instance Google Distroless. The majority of vulnerabilities are found in the
        OS layer. That's why the choice of a good base image is critical.
      • Do not package non-required tools inside the Docker image (x11, Qt, kde, apache, curl, ...)
      • Apply security best-practices, for instance:

      Out-of-scope:

      Later on, we may also consider adding the support for Docker/Kubernetes secrets, but it doesn't directly relate to making the image more secured.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              christophe.levis Christophe Levis
              Reporter:
              christophe.levis Christophe Levis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: