You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@drill.apache.org by Danny Mayer <da...@gmail.com> on 2022/09/28 16:50:03 UTC

Two Apache-drill docker images did not pass security scans

Hi Support,

I'm developing a solution using Apache Drill on a MongoDB cluster server,
and it works well.

But, when I tried to approve the package at my company, it did not pass IT
security scans.

I performed a security scan using Sonatype Nexus IQ scanner, done on a
Linux box, on two docker images:

- apache-drill:master

- apache-drill:1.20.2

Both docker images did not pass the security scan.

I've tried to attach both reports, but they pass the limit of allowed size
by your email server.

Here are the steps to reproduce the reports:

1. Pull the docker images
# docker pull apache/drill:master
# docker pull apache/drill:1.20.2

2. Save docker images to a local file
# docker save -o apache-drill-master.tar <image-id>
# docker save -o apache-drill-1.20.2.tar <image-id>

2. Install Sonatype Nexus IQ scanner

3. Run Sonatype Nexus IQ scanner

4. Load each docker image file and start the scan
At the end of the scan a report is sent to you by email.

I've attached two screenshots of the first report page of each report.
[image: image.png]
[image: image.png]

Can you check these vulnerabilities, especially the high and medium
security levels, and write about them?

Regards,

Dan Mayer

Re: Two Apache-drill docker images did not pass security scans

Posted by James Turton <dz...@apache.org>.

Hi Dan

We get automatic scans done by GitHub's Dependabot and we periodically 
run a manual scan using an OWASP tool. It would be nice to see the 
results of the Sonatype scanner but these mailing lists don't support 
images. Can you put them in a pastebin (I don't believe there's any 
security benefit in avoid a public upload here) or send them directly to 
me at this address?

Thanks
James

On 2022/09/28 18:50, Danny Mayer wrote:
> Hi Support,
>
> I'm developing a solution using Apache Drill on a MongoDB cluster 
> server, and it works well.
>
> But, when I tried to approve the package at my company, it did not 
> pass IT security scans.
>
> I performed a security scan using Sonatype Nexus IQ scanner, done on a 
> Linux box, on two docker images:
>
> - apache-drill:master
>
> - apache-drill:1.20.2
>
> Both docker images did not pass the security scan.
>
> I've tried to attach both reports, but they pass the limit of allowed 
> size by your email server.
>
> Here are the steps to reproduce the reports:
>
> 1. Pull the docker images
> # docker pull apache/drill:master
> # docker pull apache/drill:1.20.2
>
> 2. Save docker images to a local file
> # docker save -o apache-drill-master.tar <image-id>
> # docker save -o apache-drill-1.20.2.tar <image-id>
>
> 2. Install Sonatype Nexus IQ scanner
>
> 3. Run Sonatype Nexus IQ scanner
>
> 4. Load each docker image file and start the scan
> At the end of the scan a report is sent to you by email.
>
> I've attached two screenshots of the first report page of each report.
> image.png
> image.png
>
> Can you check these vulnerabilities, especially the high and medium 
> security levels, and write about them?
>
> Regards,
>
> Dan Mayer