Merge pull request #188 from monte-carlo-data/fbenitez/vuln-597-minor-upgrade-for-libcap2

benitezfede · web-flow · commit a24a7dcacbc7 · 2025-05-26T13:06:02.000Z
VULN-597: Upgraded libcap2
diff --git a/Dockerfile b/Dockerfile
@@ -33,6 +33,7 @@ RUN . $VENV_DIR/bin/activate && pip install setuptools==75.1.0
 # Azure database clients uses pyodbc which requires unixODBC and 'ODBC Driver 17 for SQL Server'
 # [VULN-602] update passwd to 1:4.13+dfsg1-1+deb12u1
 # [VULN-606] update krb5 (kerberos) to 1.20.1-2+deb12u3
+# [VULN-XXX] update libcap2 to 1:2.66-4+deb12u1
 RUN apt-get update \
     && apt-get install -y gnupg gnupg2 gnupg1 curl apt-transport-https \
     && curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - \
@@ -41,7 +42,8 @@ RUN apt-get update \
     && apt-get update \
     && ACCEPT_EULA=Y apt-get install -y msodbcsql17 unixodbc unixodbc-dev \
     && apt-get install -y passwd=1:4.13+dfsg1-1+deb12u1 \
-    && apt-get install -y libgssapi-krb5-2=1.20.1-2+deb12u3 libkrb5-3=1.20.1-2+deb12u3 libkrb5support0=1.20.1-2+deb12u3
+    && apt-get install -y libgssapi-krb5-2=1.20.1-2+deb12u3 libkrb5-3=1.20.1-2+deb12u3 libkrb5support0=1.20.1-2+deb12u3 \
+    && apt-get install -y libcap2=1:2.66-4+deb12u1
 
 # copy sources in the last step so we don't install python libraries due to a change in source code
 COPY apollo/ ./apollo
@@ -154,7 +156,8 @@ RUN apt-get install -y git wget  # VULN-543 upgrade wget
 RUN apt-get update \
     && apt-get install -y gnupg gnupg2 gnupg1 curl apt-transport-https libgnutls30 \
     && ACCEPT_EULA=Y apt-get install -y msodbcsql17 odbcinst=2.3.11-2+deb12u1 odbcinst1debian2=2.3.11-2+deb12u1 unixodbc-dev=2.3.11-2+deb12u1 unixodbc=2.3.11-2+deb12u1 \
-    && apt-get install -y sqlite3=3.40.1-2+deb12u1 openssl=3.0.16-1~deb12u1 libglib2.0-0
+    && apt-get install -y sqlite3=3.40.1-2+deb12u1 openssl=3.0.16-1~deb12u1 libglib2.0-0 \
+    && apt-get install -y libcap2=1:2.66-4+deb12u1
 
 # delete this file that includes an old golang version (including vulns) and is not used
 RUN rm -rf /opt/startupcmdgen/
diff --git a/README.md b/README.md
@@ -239,3 +239,44 @@ invoke the health endpoint using:
 ```shell
 aws lambda invoke --profile <aws_profile> --function-name <lambda_arn> --cli-binary-format raw-in-base64-out --payload '{"path": "/api/v1/test/health", "httpMethod": "GET", "queryStringParameters": {"trace_id": "1234", "full": true}}' /dev/stdout | jq '.body | fromjson'
 ```
+
+## Fixing Vulnerabilities and Verifying Library Upgrades
+
+### 1. Updating Vulnerable Dependencies
+If a vulnerability is reported in a dependency (e.g., via Aikido, Snyk, or another scanner), update the affected package in `requirements.in` to the latest secure version. For example, to update `teradatasql`:
+
+```shell
+# Edit requirements.in and set the desired version, e.g.:
+teradatasql==20.0.0.30
+
+# Recompile requirements.txt:
+pip-compile requirements.in
+```
+
+### 2. Rebuilding the Docker Image
+After updating dependencies, rebuild the Docker image to ensure the new versions are installed:
+
+```shell
+docker build -t local_agent --target generic --platform=linux/amd64 .
+```
+
+### 3. Verifying Library Versions in the Image
+To verify that the correct library version is installed in the built image, run:
+
+```shell
+docker run --rm local_agent pip show teradatasql
+```
+Or, for system packages (e.g., libcap2):
+```shell
+docker run --rm local_agent dpkg -l | grep libcap2
+```
+
+This will print the installed version, which you can check against the required secure version.
+
+### 4. Running Tests in Docker
+You can also run the unit tests in Docker to ensure everything works as expected:
+```shell
+docker build -t test_agent --target tests --platform=linux/amd64 --build-arg CACHEBUST="`date`" --progress=plain .
+```
+
+**Note:** Always review the security advisories and package documentation for any additional upgrade steps or breaking changes.
