Cut down feed ingress vulnerabilities (#230)

To cut down the attack surface
and so reduce the number of vulnerabilities.
The previous debian:strech-slim was showing a lot of vulnerabilities 
that have all gone away once switching to alpine (3.13).

Also used trivy to fail the build when either HIGH or CRITICAL
vulnerabilities are found.

.gitignore

@@ -5,3 +5,4 @@
 *.iws
 build/
 vendor/
+nginx/fake/fake_graceful_nginx

.travis.yml

@@ -6,12 +6,18 @@ addons:
 
 language: go
 
+sudo: required
+
 go:
 - 1.13
 
 services:
 - docker
 
+before_install:
+  - wget https://github.com/aquasecurity/trivy/releases/download/v0.15.0/trivy_0.15.0_Linux-64bit.tar.gz
+  - sudo tar -C /usr/local/bin -zxf trivy_0.15.0_Linux-64bit.tar.gz
+
 install:
 - make setup
 

CHANGELOG.md

@@ -1,3 +1,6 @@
+# v4.1.0
+* Switch feed-ingress base image to alpine to reduce the number of vulnerabilities
+
 # v4.0.0
 * Support latest backend config for nginx upstream module
   * Support setting keepalive_requests and keepalive_timeout for nginx upstream module

Makefile

@@ -11,11 +11,19 @@ files := $(shell find . -path ./vendor -prune -o -name '*.go' -print)
 build_time := $(shell date -u)
 ldflags := -X "github.com/sky-uk/feed/feed-ingress/cmd.version=$(version)" -X "github.com/sky-uk/feed/feed-ingress/cmd.buildTime=$(build_time)"
 
-.PHONY: all format test build vet lint copy docker release checkformat check clean fakenginx
+os := $(shell uname)
+ifeq ("$(os)", "Linux")
+	GOOS = linux
+else ifeq ("$(os)", "Darwin")
+	GOOS = darwin
+endif
+GOARCH ?= amd64
+
+.PHONY: all format test build vet lint copy docker release checkformat check clean fakenginx check-vulnerabilities
 
 all : format check build
 check : vet lint test
-travis : checkformat check docker
+travis : checkformat check docker check-vulnerabilities
 
 setup:
 	@echo "== setup"
@@ -29,7 +37,7 @@ format :
 
 build :
 	@echo "== build"
-	@go install -v ./feed-ingress/... ./feed-dns/...
+	CGO_ENABLED=0 GOOS=$(GOOS) GOARCH=$(GOARCH) go install -v ./feed-ingress/... ./feed-dns/...
 
 unformatted = $(shell goimports -l $(files))
 
@@ -90,3 +98,7 @@ else
 	docker push $(image_prefix)-dns:$(git_tag)
 	docker push $(image_prefix)-dns:latest
 endif
+
+check-vulnerabilities:
+	@echo "== Checking for vulnerabilities in the docker image"
+	trivy image --exit-code=1 --severity="HIGH,CRITICAL" $(image_prefix)-ingress:latest

README.md

@@ -170,7 +170,7 @@ To enable OpenTracing, you will need to provide the following options:
 
 ```bash
 # Define the path to the OpenTracing vendor plugin
---nginx-opentracing-plugin-path=/usr/local/lib/libjaegertracing_plugin.linux_amd64.so
+--nginx-opentracing-plugin-path=/usr/local/lib64/libjaegertracing.so
 # Define the path to the config for the vendor plugin
 --nginx-opentracing-config-path=/etc/jaeger-nginx-config.json
 ```

docker/ingress/Dockerfile

@@ -1,19 +1,14 @@
-FROM debian:stretch-slim
+FROM alpine:3.13
 
 # Install useful diagnostic packages
-RUN apt-get update \
-    && apt-get dist-upgrade -y \
-    && apt-get install --no-install-suggests --no-install-recommends -y \
-        libcap2-bin \
+RUN apk add --no-cache \
+        libcap \
         curl \
         ca-certificates \
-        dnsutils \
-        vim-tiny \
+        bind-tools \
+        vim \
         lsof \
-        iproute2 \
-    && apt-get clean -y \
-    && apt-get autoremove -y \
-    && rm -rf /var/lib/apt/lists/* /tmp/*
+        iproute2
 
 # Install NGINX
 
@@ -35,7 +30,7 @@ RUN /tmp/build-nginx.sh
 RUN setcap "cap_net_bind_service=+ep" /usr/sbin/nginx
 
 # Setup feed controller
-RUN useradd -s /sbin/nologin feed
+RUN adduser --shell /sbin/nologin --disabled-password feed
 RUN mkdir -p /nginx /var/cache/nginx
 RUN chown -R feed:feed /nginx /var/cache/nginx
 

docker/ingress/build-nginx.sh

@@ -1,16 +1,30 @@
-#!/bin/bash
+#!/usr/bin/env sh
 
 set -ex
 
-apt-get update
-apt-get install --no-install-suggests --no-install-recommends -y \
-    build-essential \
-    cmake automake autogen autoconf libtool \
-    libc6 libc6-dev \
-    libpcre3 libpcre3-dev libpcrecpp0v5 \
-    zlib1g zlib1g-dev \
-    libaio1 libaio-dev \
-    sudo libssl-dev
+# From https://github.com/nginxinc/docker-nginx/blob/master/mainline/alpine/Dockerfile
+# Build dependencies
+apk add --no-cache --virtual .build-deps \
+    gcc \
+    libc-dev \
+    make \
+    openssl-dev \
+    pcre-dev \
+    zlib-dev \
+    linux-headers \
+    libxslt-dev \
+    gd-dev \
+    geoip-dev \
+    perl-dev \
+    libedit-dev \
+    mercurial \
+    bash \
+    alpine-sdk \
+    findutils \
+    cmake
+
+# Runtime dependencies
+apk add --no-cache pcre
 
 echo "--- Downloading NGINX and modules"
 mkdir /tmp/nginx
@@ -27,12 +41,13 @@ opentracing_nginx_tarball="nginx-opentracing-${OPENTRACING_NGINX_VERSION}.tar.gz
 opentracing_cpp_tarball="opentracing-cpp-${OPENTRACING_CPP_VERSION}.tar.gz"
 jaeger_tarball="jaeger-client-cpp-${JAEGER_VERSION}.tar.gz"
 
+# 2 spaces required between hash and filename
 touch hashes
-echo "${NGINX_SHA256} ${nginx_tarball}" >> hashes
-echo "${VTS_SHA256} ${vts_tarball}" >> hashes
-echo "${OPENTRACING_NGINX_SHA256} ${opentracing_nginx_tarball}" >> hashes
-echo "${OPENTRACING_CPP_SHA256} ${opentracing_cpp_tarball}" >> hashes
-echo "${JAEGER_SHA256} ${jaeger_tarball}" >> hashes
+echo "${NGINX_SHA256}  ${nginx_tarball}" >> hashes
+echo "${VTS_SHA256}  ${vts_tarball}" >> hashes
+echo "${OPENTRACING_NGINX_SHA256}  ${opentracing_nginx_tarball}" >> hashes
+echo "${OPENTRACING_CPP_SHA256}  ${opentracing_cpp_tarball}" >> hashes
+echo "${JAEGER_SHA256}  ${jaeger_tarball}" >> hashes
 if ! sha256sum -c hashes; then
     echo "sha256 hashes do not match downloaded files"
     exit 1
@@ -110,6 +125,5 @@ mkdir -p /nginx/modules
 cp objs/ngx_http_opentracing_module.so /nginx/modules/
 
 echo "--- Cleaning up"
-apt-get purge -y build-essential ca-certificates libc6-dev libpcre3-dev zlib1g-dev libaio-dev gcc-5 cmake automake autogen autoconf libtool
-apt-get clean -y
-rm -rf /var/lib/apt/lists/* /tmp/* /root/.hunter
+apk del .build-deps
+rm -rf /tmp/* /root/.hunter