Skip to content

Reduce container size, fix vulnerabilities #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Reduce container size, fix vulnerabilities #66

wants to merge 5 commits into from

Conversation

Bouni
Copy link

@Bouni Bouni commented Mar 10, 2025
edited
Loading

This PR does a number of things

  1. It reduces the image size from 177MB down to 91MB by using the python:3.13-alpine image as a base image.
  2. It uses uv instead of regular pip to create a virtualenv and install the packages.
  3. It copies the python files into the image, so that not the entire folder has to be mounted into the container.
  4. It updates all packages in the requirements.txt to the latest version.
  5. It fixes a escape issue that generates unnecessary log entries
  6. It fixes vulnerabilities mentioned in some issues (Netprobe unsafe ! Too many CVE vunerabilities #65)

Vulnerability report from docker scout

Before:

    ✓ SBOM of image already cached, 175 packages indexed
    ✗ Detected 20 vulnerable packages with a total of 39 vulnerabilities


## Overview

                    │           Analyzed Image
────────────────────┼─────────────────────────────────────
  Target            │  plaintextpackets/netprobe:latest
    digest          │  9ca46061d1c4
    platform        │ linux/amd64
    vulnerabilities │    4C     5H    11M    17L     2?
    size            │ 80 MB
    packages        │ 175


## Packages and Vulnerabilities

   2C     1H     0M     0L  expat 2.5.0-1
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ CRITICAL CVE-2024-45492
      https://scout.docker.com/v/CVE-2024-45492
      Affected range : <2.5.0-1+deb12u1
      Fixed version  : 2.5.0-1+deb12u1

    ✗ CRITICAL CVE-2024-45491
      https://scout.docker.com/v/CVE-2024-45491
      Affected range : <2.5.0-1+deb12u1
      Fixed version  : 2.5.0-1+deb12u1

    ✗ HIGH CVE-2024-45490
      https://scout.docker.com/v/CVE-2024-45490
      Affected range : <2.5.0-1+deb12u1
      Fixed version  : 2.5.0-1+deb12u1


   1C     1H     3M     5L     1?  openssl 3.0.11-1~deb12u2
pkg:deb/debian/[email protected]~deb12u2?os_distro=bookworm&os_name=debian&os_version=12

    ✗ CRITICAL CVE-2024-5535
      https://scout.docker.com/v/CVE-2024-5535
      Affected range : <3.0.15-1~deb12u1
      Fixed version  : 3.0.15-1~deb12u1

    ✗ HIGH CVE-2024-4741
      https://scout.docker.com/v/CVE-2024-4741
      Affected range : <3.0.14-1~deb12u1
      Fixed version  : 3.0.14-1~deb12u1

    ✗ MEDIUM CVE-2024-0727
      https://scout.docker.com/v/CVE-2024-0727
      Affected range : <3.0.13-1~deb12u1
      Fixed version  : 3.0.13-1~deb12u1

    ✗ MEDIUM CVE-2023-5678
      https://scout.docker.com/v/CVE-2023-5678
      Affected range : <3.0.13-1~deb12u1
      Fixed version  : 3.0.13-1~deb12u1

    ✗ MEDIUM CVE-2024-9143
      https://scout.docker.com/v/CVE-2024-9143
      Affected range : <3.0.15-1~deb12u1
      Fixed version  : 3.0.15-1~deb12u1

    ✗ LOW CVE-2024-6119
      https://scout.docker.com/v/CVE-2024-6119
      Affected range : <3.0.14-1~deb12u2
      Fixed version  : 3.0.14-1~deb12u2

    ✗ LOW CVE-2024-4603
      https://scout.docker.com/v/CVE-2024-4603
      Affected range : <3.0.14-1~deb12u1
      Fixed version  : 3.0.14-1~deb12u1

    ✗ LOW CVE-2023-6237
      https://scout.docker.com/v/CVE-2023-6237
      Affected range : <3.0.13-1~deb12u1
      Fixed version  : 3.0.13-1~deb12u1

    ✗ LOW CVE-2023-6129
      https://scout.docker.com/v/CVE-2023-6129
      Affected range : <3.0.13-1~deb12u1
      Fixed version  : 3.0.13-1~deb12u1

    ✗ LOW CVE-2010-0928
      https://scout.docker.com/v/CVE-2010-0928
      Affected range : >=3.0.11-1~deb12u2
      Fixed version  : not fixed

    ✗ UNSPECIFIED CVE-2024-2511
      https://scout.docker.com/v/CVE-2024-2511
      Affected range : <3.0.14-1~deb12u1
      Fixed version  : 3.0.14-1~deb12u1


   1C     1H     0M     0L  krb5 1.20.1-2+deb12u1
pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ CRITICAL CVE-2024-37371
      https://scout.docker.com/v/CVE-2024-37371
      Affected range : <1.20.1-2+deb12u2
      Fixed version  : 1.20.1-2+deb12u2

    ✗ HIGH CVE-2024-37370
      https://scout.docker.com/v/CVE-2024-37370
      Affected range : <1.20.1-2+deb12u2
      Fixed version  : 1.20.1-2+deb12u2


   0C     1H     0M     0L     1?  systemd 252.22-1~deb12u1
pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ HIGH CVE-2023-50387
      https://scout.docker.com/v/CVE-2023-50387
      Affected range : <252.23-1~deb12u1
      Fixed version  : 252.23-1~deb12u1

    ✗ UNSPECIFIED CVE-2023-50868
      https://scout.docker.com/v/CVE-2023-50868
      Affected range : <252.23-1~deb12u1
      Fixed version  : 252.23-1~deb12u1


   0C     1H     0M     0L  setuptools 65.5.1
pkg:pypi/[email protected]

    ✗ HIGH CVE-2024-6345 [Improper Control of Generation of Code ('Code Injection')]
      https://scout.docker.com/v/CVE-2024-6345
      Affected range : <70.0.0
      Fixed version  : 70.0.0
      CVSS Score     : 7.5
      CVSS Vector    : CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N


   0C     0H     3M     0L  gnutls28 3.7.9-2+deb12u2
pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12

    ✗ MEDIUM CVE-2024-28834
      https://scout.docker.com/v/CVE-2024-28834
      Affected range : <3.7.9-2+deb12u3
      Fixed version  : 3.7.9-2+deb12u3

    ✗ MEDIUM CVE-2024-12243
      https://scout.docker.com/v/CVE-2024-12243
      Affected range : <3.7.9-2+deb12u4
      Fixed version  : 3.7.9-2+deb12u4

    ✗ MEDIUM CVE-2024-28835
      https://scout.docker.com/v/CVE-2024-28835
      Affected range : <3.7.9-2+deb12u3
      Fixed version  : 3.7.9-2+deb12u3


   0C     0H     1M     1L  sqlite3 3.40.1-2
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ MEDIUM CVE-2023-7104
      https://scout.docker.com/v/CVE-2023-7104
      Affected range : <3.40.1-2+deb12u1
      Fixed version  : 3.40.1-2+deb12u1

    ✗ LOW CVE-2023-36191
      https://scout.docker.com/v/CVE-2023-36191
      Affected range : >=3.40.1-2
      Fixed version  : not fixed


   0C     0H     1M     0L  dnspython 2.4.2
pkg:pypi/[email protected]

    ✗ MEDIUM CVE-2023-29483 [Incorrect Behavior Order]
      https://scout.docker.com/v/CVE-2023-29483
      Affected range : <2.6.1
      Fixed version  : 2.6.1
      CVSS Score     : 5.9
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H


   0C     0H     1M     0L  libtasn1-6 4.19.0-2
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ MEDIUM CVE-2024-12133
      https://scout.docker.com/v/CVE-2024-12133
      Affected range : <4.19.0-2+deb12u1
      Fixed version  : 4.19.0-2+deb12u1


   0C     0H     1M     0L  urllib3 2.2.1
pkg:pypi/[email protected]

    ✗ MEDIUM CVE-2024-37891 [Incorrect Resource Transfer Between Spheres]
      https://scout.docker.com/v/CVE-2024-37891
      Affected range : >=2.0.0
                     : <2.2.2
      Fixed version  : 2.2.2
      CVSS Score     : 4.4
      CVSS Vector    : CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N


   0C     0H     1M     0L  requests 2.31.0
pkg:pypi/[email protected]

    ✗ MEDIUM CVE-2024-35195 [Always-Incorrect Control Flow Implementation]
      https://scout.docker.com/v/CVE-2024-35195
      Affected range : <2.32.0
      Fixed version  : 2.32.0
      CVSS Score     : 5.6
      CVSS Vector    : CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N


   0C     0H     0M     2L  perl 5.36.0-7+deb12u1
pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2023-31486
      https://scout.docker.com/v/CVE-2023-31486
      Affected range : >=5.36.0-7+deb12u1
      Fixed version  : not fixed

    ✗ LOW CVE-2011-4116
      https://scout.docker.com/v/CVE-2011-4116
      Affected range : >=5.36.0-7+deb12u1
      Fixed version  : not fixed


   0C     0H     0M     2L  gcc-12 12.2.0-14
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2023-4039
      https://scout.docker.com/v/CVE-2023-4039
      Affected range : >=12.2.0-14
      Fixed version  : not fixed

    ✗ LOW CVE-2022-27943
      https://scout.docker.com/v/CVE-2022-27943
      Affected range : >=12.2.0-14
      Fixed version  : not fixed


   0C     0H     0M     1L  coreutils 9.1-1
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2017-18018
      https://scout.docker.com/v/CVE-2017-18018
      Affected range : >=9.1-1
      Fixed version  : not fixed


   0C     0H     0M     1L  gnupg2 2.2.40-1.1
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2022-3219
      https://scout.docker.com/v/CVE-2022-3219
      Affected range : >=2.2.40-1.1
      Fixed version  : not fixed


   0C     0H     0M     1L  tar 1.34+dfsg-1.2+deb12u1
pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2005-2541
      https://scout.docker.com/v/CVE-2005-2541
      Affected range : >=1.34+dfsg-1.2+deb12u1
      Fixed version  : not fixed


   0C     0H     0M     1L  apt 2.6.1
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2011-3374
      https://scout.docker.com/v/CVE-2011-3374
      Affected range : >=2.6.1
      Fixed version  : not fixed


   0C     0H     0M     1L  certifi 2024.2.2
pkg:pypi/[email protected]

    ✗ LOW CVE-2024-39689 [Insufficient Verification of Data Authenticity]
      https://scout.docker.com/v/CVE-2024-39689
      Affected range : >=2021.5.30
                     : <2024.7.4
      Fixed version  : 2024.07.04


   0C     0H     0M     1L  libgcrypt20 1.10.1-3
pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2018-6829
      https://scout.docker.com/v/CVE-2018-6829
      Affected range : >=1.10.1-3
      Fixed version  : not fixed


   0C     0H     0M     1L  shadow 1:4.13+dfsg1-1
pkg:deb/debian/shadow@1:4.13%2Bdfsg1-1?os_distro=bookworm&os_name=debian&os_version=12

    ✗ LOW CVE-2007-5686
      https://scout.docker.com/v/CVE-2007-5686
      Affected range : >=1:4.13+dfsg1-1
      Fixed version  : not fixed



39 vulnerabilities found in 20 packages
  CRITICAL     4
  HIGH         5
  MEDIUM       11
  LOW          17
  UNSPECIFIED  2

After:

    ✓ Image stored for indexing
    ✓ Indexed 60 packages
    ✓ No vulnerable package detected


## Overview

                    │       Analyzed Image
────────────────────┼──────────────────────────────
  Target            │  netprobe:latest
    digest          │  9924596613a5
    platform        │ linux/amd64
    vulnerabilities │    0C     0H     0M     0L
    size            │ 41 MB
    packages        │ 60


## Packages and Vulnerabilities

  No vulnerable packages detected

@Bouni
Copy link
Author

Bouni commented Mar 10, 2025

I think this project could be improved even more!

Here are some of my ideas, let me know if you like them or if there are concerns:

  • Move all python source files uner a src folder to reduce the numer of copy commands in the Dockerfile
  • Change the config from an .env file to a .yml file, that way the config could be cleaner to look at and a config schema could be introduced to detect config errors (with pydantic for example).
    Also a hierarchical config would be possible with that.
  • Consolidate the python scripts into one and have only one running netprobe container. Simplyfiy everything and slim down even more.
  • Add CI/CD for code quality checks (rufff, automatic image building and upload to docker hub / ghcr on release)
  • Add unit tests
  • Add pre-commit hooks
  • Move from a requirements.txt to a pyproject.toml + uv.lock to be more state of the art

I really like the project so far and have it running without issues for about 2 weeks!

@gregorskii
Copy link

These seem like great additions, is this project still active? I have not found an alternative that works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Bouni @gregorskii