You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@drill.apache.org by Danny Mayer <da...@gmail.com> on 2022/09/28 16:50:03 UTC
Two Apache-drill docker images did not pass security scans
Hi Support,
I'm developing a solution using Apache Drill on a MongoDB cluster server,
and it works well.
But, when I tried to approve the package at my company, it did not pass IT
security scans.
I performed a security scan using Sonatype Nexus IQ scanner, done on a
Linux box, on two docker images:
- apache-drill:master
- apache-drill:1.20.2
Both docker images did not pass the security scan.
I've tried to attach both reports, but they pass the limit of allowed size
by your email server.
Here are the steps to reproduce the reports:
1. Pull the docker images
# docker pull apache/drill:master
# docker pull apache/drill:1.20.2
2. Save docker images to a local file
# docker save -o apache-drill-master.tar <image-id>
# docker save -o apache-drill-1.20.2.tar <image-id>
2. Install Sonatype Nexus IQ scanner
3. Run Sonatype Nexus IQ scanner
4. Load each docker image file and start the scan
At the end of the scan a report is sent to you by email.
I've attached two screenshots of the first report page of each report.
[image: image.png]
[image: image.png]
Can you check these vulnerabilities, especially the high and medium
security levels, and write about them?
Regards,
Dan Mayer
Re: Two Apache-drill docker images did not pass security scans
Posted by James Turton <dz...@apache.org>.
Hi Dan
We get automatic scans done by GitHub's Dependabot and we periodically
run a manual scan using an OWASP tool. It would be nice to see the
results of the Sonatype scanner but these mailing lists don't support
images. Can you put them in a pastebin (I don't believe there's any
security benefit in avoid a public upload here) or send them directly to
me at this address?
Thanks
James
On 2022/09/28 18:50, Danny Mayer wrote:
> Hi Support,
>
> I'm developing a solution using Apache Drill on a MongoDB cluster
> server, and it works well.
>
> But, when I tried to approve the package at my company, it did not
> pass IT security scans.
>
> I performed a security scan using Sonatype Nexus IQ scanner, done on a
> Linux box, on two docker images:
>
> - apache-drill:master
>
> - apache-drill:1.20.2
>
> Both docker images did not pass the security scan.
>
> I've tried to attach both reports, but they pass the limit of allowed
> size by your email server.
>
> Here are the steps to reproduce the reports:
>
> 1. Pull the docker images
> # docker pull apache/drill:master
> # docker pull apache/drill:1.20.2
>
> 2. Save docker images to a local file
> # docker save -o apache-drill-master.tar <image-id>
> # docker save -o apache-drill-1.20.2.tar <image-id>
>
> 2. Install Sonatype Nexus IQ scanner
>
> 3. Run Sonatype Nexus IQ scanner
>
> 4. Load each docker image file and start the scan
> At the end of the scan a report is sent to you by email.
>
> I've attached two screenshots of the first report page of each report.
> image.png
> image.png
>
> Can you check these vulnerabilities, especially the high and medium
> security levels, and write about them?
>
> Regards,
>
> Dan Mayer