[I] No Update Timeframe or Monitoring for Dockerfile-Installed External Tools (tooling-trusted-releases)

[via GitHub]

asf-tooling opened a new issue, #1068:
URL: https://github.com/apache/tooling-trusted-releases/issues/1068

   **ASVS Level(s):** L1
   
   **Description:**
   
   ### Summary
   Five external tools are installed in the Docker image with pinned versions 
but no documented update timeframes, automated monitoring, or consistent 
integrity verification. These tools include syft 1.38.2, parlay 0.9.0, sbomqs 
1.1.0, cyclonedx-cli 0.29.1, and Apache RAT 0.18. These tools process untrusted 
user input (SBOM files, release archives), making vulnerability exposure 
particularly concerning. Apache RAT has proper SHA512 verification, but syft 
and cyclonedx-cli are installed via curl without hash verification.
   
   ### Details
   The issue exists in `Dockerfile.alpine` lines 45-71 (tool installations), 
62-64 (syft installation), and 71 (cyclonedx-cli installation). External tools 
are installed with pinned versions but no update monitoring or consistent 
integrity verification.
   
   ### Recommended Remediation
   1. **Add CI check for Dockerfile tool versions** 
(`scripts/check_dockerfile_tool_versions.py`):
   
   ```python
   #!/usr/bin/env python3
   """Check that Dockerfile tool versions are not stale."""
   import re
   import sys
   from datetime import datetime, timedelta
   from pathlib import Path
   import requests
   
   MAX_AGE_DAYS = 90
   
   TOOLS = {
       'SYFT_VERSION': 'anchore/syft',
       'PARLAY_VERSION': 'snyk/parlay',
       'SBOMQS_VERSION': 'interlynk-io/sbomqs',
       'CDXCLI_VERSION': 'CycloneDX/cyclonedx-cli',
   }
   
   def check_tool_age(tool_name: str, repo: str, current_version: str) -> bool:
       """Check if tool version is within acceptable age."""
       # Query GitHub API for release date
       url = 
f"https://api.github.com/repos/{repo}/releases/tags/v{current_version}";
       response = requests.get(url)
       
       if response.status_code != 200:
           print(f"WARNING: Could not check {tool_name} version age")
           return True  # Don't fail on API errors
       
       release_date = 
datetime.fromisoformat(response.json()['published_at'].replace('Z', '+00:00'))
       age_days = (datetime.now(timezone.utc) - release_date).days
       
       if age_days > MAX_AGE_DAYS:
           print(f"ERROR: {tool_name} {current_version} is {age_days} days old 
(max {MAX_AGE_DAYS})")
           return False
       
       print(f"OK: {tool_name} {current_version} is {age_days} days old")
       return True
   
   # Parse Dockerfile and check each tool
   dockerfile = Path("Dockerfile.alpine").read_text()
   all_ok = True
   
   for env_var, repo in TOOLS.items():
       match = re.search(rf'ENV {env_var}="?([^"\s]+)"?', dockerfile)
       if match:
           version = match.group(1)
           if not check_tool_age(env_var, repo, version):
               all_ok = False
   
   sys.exit(0 if all_ok else 1)
   ```
   
   2. **Add hash verification for curl-installed tools** (in Dockerfile.alpine):
   
   ```dockerfile
   # Add ENV variables for hashes
   ENV SYFT_SHA256="<hash>"
   ENV CDXCLI_SHA256="<hash>"
   
   # Verify syft download
   RUN curl -sSfL 
"https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz";
 -o /tmp/syft.tar.gz && \
       echo "${SYFT_SHA256}  /tmp/syft.tar.gz" | sha256sum -c - && \
       tar -xzf /tmp/syft.tar.gz -C /usr/local/bin syft && \
       rm /tmp/syft.tar.gz
   
   # Verify cyclonedx-cli download
   RUN curl -L 
"https://github.com/CycloneDX/cyclonedx-cli/releases/download/v${CDXCLI_VERSION}/cyclonedx-linux-musl-x64";
 -o /usr/local/bin/cyclonedx && \
       echo "${CDXCLI_SHA256}  /usr/local/bin/cyclonedx" | sha256sum -c - && \
       chmod +x /usr/local/bin/cyclonedx
   ```
   
   3. **Document policy in DEPENDENCIES.md**:
   
   ```markdown
   ## External Tool Update Policy
   
   ### Update Frequency
   - External tools in Dockerfile must be updated at least every 90 days
   - CI check enforces maximum age of 90 days
   - All tools must have SHA256 or SHA512 hash verification
   
   ### Monitored Tools
   - syft (SBOM generation)
   - parlay (SBOM analysis)
   - sbomqs (SBOM quality scoring)
   - cyclonedx-cli (SBOM format conversion)
   - Apache RAT (license analysis)
   
   ### Hash Verification
   All tools installed via curl must include hash verification:
   - Obtain hash from official release page
   - Store hash in ENV variable
   - Verify hash before installation
   ```
   
   ### Acceptance Criteria
   - [ ] CI check script created (check_dockerfile_tool_versions.py)
   - [ ] Script integrated into .github/workflows/analyze.yml
   - [ ] Hash verification added for syft
   - [ ] Hash verification added for cyclonedx-cli
   - [ ] 90-day maximum age enforced
   - [ ] DEPENDENCIES.md updated with external tool policy
   - [ ] Hashes documented and verified
   - [ ] CI pipeline fails if tools are stale
   
   ### References
   - Source reports: L1:15.2.1.md
   - Related findings: FINDING-201, FINDING-202
   - ASVS sections: 15.2.1
   
   ### Priority
   Medium
   
   ---
   
   ---
   
   **Triage notes:** look for pre-existing scanner


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tooling.apache.org
For additional commands, e-mail: dev-h...@tooling.apache.org