connect icon indicating copy to clipboard operation
connect copied to clipboard
verified publisher icon 1Password

Upgrade container image with included dependencies

Open rwenz3l opened this issue 1 year ago • 7 comments

As mentioned in #79, I found that the containers are quite old and use Debian 11.7 and Go 1.20.6.

It would be very much appreciated if you could upgrade the container image itself, as well as the used toolchain for it, mainly for security reasons.

Go1.22 is now released, which marks 1.20 as no longer supported. I'm sure there is also a bunch of dependencies used with the connect-server, which may contain vulnerabilities.

The docker images appears to be using a debian base-image at version 11.7, 11.8 was released in October 2023.

rwenz3l avatar Feb 07 '24 11:02 rwenz3l

@jpcoenen @ag-adampike @verkaufer any chance someone from the 1password team can take a look at this!?

onedr0p avatar Jun 27 '24 13:06 onedr0p

I scanned the docker image with trivy and discovered this

1password/connect-api:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)

    bin/connect-api (gobinary)
    Total: 21 (UNKNOWN: 0, LOW: 0, MEDIUM: 16, HIGH: 4, CRITICAL: 1)

1password/connect-sync:1.7.2 (debian 11.7)
Total: 29 (UNKNOWN: 0, LOW: 11, MEDIUM: 15, HIGH: 3, CRITICAL: 0)

    bin/connect-sync (gobinary)
    Total: 20 (UNKNOWN: 0, LOW: 0, MEDIUM: 15, HIGH: 4, CRITICAL: 1)

There are quite a bit of these that could be resolved by updating deps, also I don't see why these containers cannot use scratch or distroless containers instead of debian which would lessen the attack surface.

Will the 1Password team ever address these vulnerabilities?

onedr0p avatar Jun 28 '24 13:06 onedr0p

cc @ag-rdoucette

onedr0p avatar Jun 28 '24 13:06 onedr0p

There has been no activity in this Repository for quite a while. I feel like the people at 1Password are simply focusing on other things. I'm not sure how many people have this deployed, but IMO it's a security risk running this as it is today. I stopped bothering with the connector due to the inactivity and use vault instead.

rwenz3l avatar Jun 28 '24 13:06 rwenz3l

Yeah I got that impression as well. It's a bummer they ignore this and are flakey supporting their OSS projects overall. Hopefully something changes and they have time to focus on their public facing projects someday.

onedr0p avatar Jun 28 '24 13:06 onedr0p

Hey folks! 👋🏻

Thank you for your patience and for expressing your concerns.

I'm happy to announce that we've just released Connect 1.7.3, which updates the dependencies and the images used to build Connect. Let me know if you have any other questions.

edif2008 avatar Jul 02 '24 13:07 edif2008

Thanks @edif2008 and team!

onedr0p avatar Jul 02 '24 13:07 onedr0p