|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +. ../../base.sh |
| 4 | + |
| 5 | +TYPE_SPEED=100 |
| 6 | +DEMO_PROMPT="${GREEN}➜ ${CYAN}\W ${COLOR_RESET}" |
| 7 | +clear |
| 8 | + |
| 9 | +echo -e " |
| 10 | +Demo: Chainguard Libraries for Python - Remediated Repository |
| 11 | +
|
| 12 | +CVE-2021-23727 in Celery 5.2.1 - Three approaches: |
| 13 | +1. Vulnerable: Celery 5.2.1 from PyPI |
| 14 | +2. Upstream Fix: Celery 5.2.2 from PyPI |
| 15 | +3. Remediated: Celery 5.2.1 from Chainguard with backported fix |
| 16 | +" |
| 17 | +wait |
| 18 | + |
| 19 | +banner "Setup" |
| 20 | + |
| 21 | +read -p "Enter your Chainguard organization name: " ORG_NAME |
| 22 | +export ORG_NAME |
| 23 | + |
| 24 | +banner "Step 1: Vulnerable (Celery 5.2.1 from PyPI)" |
| 25 | +wait |
| 26 | +pei "cd step1-orig" |
| 27 | +pe "cat requirements.txt" |
| 28 | +pei "" |
| 29 | + |
| 30 | +pei "docker build --no-cache -t celery-demo:vulnerable ." |
| 31 | + |
| 32 | +banner "This run will work, as celery 5.2.1 allows OS command injection." |
| 33 | +wait |
| 34 | +pei "docker run --rm celery-demo:vulnerable" |
| 35 | + |
| 36 | +banner "Step 2: Upstream Fix (Celery 5.2.2 from PyPI)" |
| 37 | +wait |
| 38 | + |
| 39 | +pei "cd ../step2-upstream-fix" |
| 40 | +pe "cat requirements.txt" |
| 41 | + |
| 42 | +pei "docker build --no-cache -t celery-demo:fixed ." |
| 43 | +banner "This will throw an exception, as the OS command injection vuln is fixed in 5.2.2." |
| 44 | +wait |
| 45 | +pei "docker run --rm celery-demo:fixed" |
| 46 | + |
| 47 | +banner "Step 3: Remediated (Celery 5.2.1 from Chainguard)" |
| 48 | +wait |
| 49 | +pei "cd ../step3-cg" |
| 50 | +pe "cat requirements.txt" |
| 51 | + |
| 52 | +pei "CREDS=\$(chainctl auth pull-token --repository=python --parent=\$ORG_NAME --name=py-demo-\$USER --ttl=1h -o json)" |
| 53 | + |
| 54 | +{ |
| 55 | + echo "machine libraries.cgr.dev" |
| 56 | + echo "login $(echo $CREDS | jq -r .identity_id)" |
| 57 | + echo "password $(echo $CREDS | jq -r .token)" |
| 58 | +} > .netrc |
| 59 | + |
| 60 | +pe "cat pyproject.toml" |
| 61 | +pei "" |
| 62 | + |
| 63 | +pei "docker build --no-cache --secret id=netrc,src=.netrc -t celery-demo:remediated ." |
| 64 | +banner "This will throw an exception - celery 5.2.1 from Chainguard's python-remediated repository includes the CVE fix." |
| 65 | +wait |
| 66 | +pei "docker run --rm celery-demo:remediated" |
| 67 | + |
| 68 | +banner "Use chainctl libraries verify to determine package coverage from Chainguard." |
| 69 | +wait |
| 70 | +pei "chainctl libraries verify celery-demo:remediated" |
| 71 | + |
| 72 | +banner "Cleanup" |
| 73 | +wait |
| 74 | +pei "ID=\$(chainctl iam ids ls --parent=\$ORG_NAME -o json | jq -r '.items[] | select(.name | startswith(\"py-demo\")) | .id')" |
| 75 | +pei "chainctl iam identities delete \$ID --parent \$ORG_NAME --yes" |
| 76 | +pei "rm .netrc" |
| 77 | +pei "docker rmi celery-demo:vulnerable celery-demo:fixed celery-demo:remediated" |
| 78 | + |
| 79 | +echo -e " |
| 80 | +${GREEN}Demo Complete!${COLOR_RESET} |
| 81 | +
|
| 82 | +Key Takeaways: |
| 83 | +✓ Celery 5.2.1 has CVE-2021-23727 |
| 84 | +✓ Traditional fix: Upgrade to 5.2.2 (may break compatibility) |
| 85 | +✓ Chainguard: Use 5.2.1 with backported fix |
| 86 | + - Same version, no compatibility risk |
| 87 | + - Security fix included |
| 88 | + - Full SBOM and provenance |
| 89 | +" |
| 90 | + |
| 91 | +exit 0 |
0 commit comments