Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable testcontainers tests once ryuk docker image is replaced with some less vulnerable #250

Closed
dnestoro opened this issue Mar 15, 2023 · 7 comments · Fixed by #546
Closed

Enable testcontainers tests once ryuk docker image is replaced with some less vulnerable #250

dnestoro opened this issue Mar 15, 2023 · 7 comments · Fixed by #546
Assignees
@dnestoro
Labels
enhancement New feature or request

Comments

@dnestoro
Copy link
Member

After implementing the feature that disables docker pull for docker images that are not listed in Allowed docker images list, it is discovered that Testcontainers test uses testcontainers/ryuk image under the hood. This image has been scanned (alongside other allowed docker images from the list) with grype tool, which found that this image contains many high/critical vulnerabilities. Since this image is used by default in testcontainers, we cannot prevent its download. Until testcontainers replace usage of this image with some less vulnerable, we have to disable this test.

Once the image is changed, we can enable this test again.
@dnestoro dnestoro added the enhancement New feature or request label Mar 15, 2023
@dnestoro dnestoro self-assigned this Mar 15, 2023
@mdelapenya
Copy link

Hi @dnestoro let me share that past week testcontainers/ryuk:0.4.0 was released removing all those security issues:

➜ grype testcontainers/ryuk:0.4.0 --scope all-layers
 ✔ Vulnerability DB        [no update available]
 ✔ Loaded image            
 ✔ Parsed image            
 ✔ Cataloged packages      [41 packages]
 ✔ Scanning image...       [0 vulnerabilities]
   ├── 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── 0 fixed

No vulnerabilities found

All language implementations of Testcontainers are not using that version in the current releases yet. But there is a workaround to use a different image for Ryuk: https://www.testcontainers.org/features/configuration/#customizing-ryuk-resource-reaper

At ${HOME}/.testcontainers.properties:

ryuk.container.image = testcontainers/ryuk:0.4.0

or if you prefer using the env:

export RYUK_CONTAINER_IMAGE=testcontainers/ryuk:0.4.0

Hope it helps in bypassing those security issues described in this ticket 🙏

@eddumelendez
Copy link

testcontainers-java next release will contain testcontainers/ryuk:0.4.0 by default. See testcontainers/testcontainers-java#6782

@dnestoro
Copy link
Member Author

This is fantastic! Thank you @mdelapenya and @eddumelendez! Do you possibly know when we can expect a new release?

@alvarosanchez
Copy link
Member

My question is: do we really need Ryuk in CI? At Micronaut we disable it with the env TESTCONTAINERS_RYUK_DISABLED since the containers will be destroyed anyway when CI finishes.

@wirthi
Copy link
Member

wirthi commented Mar 16, 2023

Disabling it is a good step, but we would still download it then, the vulnerability scanner would still find it.

@bsideup
Copy link

bsideup commented Mar 19, 2023

@alvarosanchez FYI if you disable Ryuk then an in-JVM ShutdownHook-based implementation will still be used :)

@linghengqian linghengqian mentioned this issue Apr 3, 2023
Closed
2 tasks
@linghengqian
Copy link
Contributor

  • I opened a PR for this issue.

@Kehrlann Kehrlann mentioned this issue Oct 17, 2024
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dnestoro dnestoro

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
7 participants
@alvarosanchez @mdelapenya @bsideup @eddumelendez @wirthi @linghengqian @dnestoro