Skip to content

Optimize Dockerfile to reduce image size #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
djyde merged 3 commits into from
Aug 2, 2022
Merged

Optimize Dockerfile to reduce image size #206

djyde merged 3 commits into from
Aug 2, 2022

Conversation

@n0vad3v
Copy link
Contributor

@n0vad3v n0vad3v commented Jul 9, 2022
edited
Loading

This PR changes the Dockerfile for this project, introduces three changes:

  1. Use Multi-staging build to reduce image size
n0vad3v/cusdis                              latest               bca878dab5c5   4 minutes ago    1.88GB
djyde/cusdis                                latest               5843238f22b9   4 weeks ago      2.57GB
  1. Change base image from node:15.14.0-alpine3.10 to node:16-alpine3.15 as builder, similar to PR: Bump node base image version to 16.13.0. #161
  2. Add npx browserslist@latest --update-db when building

However, there are still some security issues with the new image that needs to be fixed:

n0vad3v/cusdis (alpine 3.15.4)
==============================
Total: 2 (UNKNOWN: 0, LOW: 2, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
|   LIBRARY    | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+
| libcrypto1.1 | CVE-2022-2097    | LOW      | 1.1.1n-r0         | 1.1.1q-r0     | openssl: AES OCB fails               |
|              |                  |          |                   |               | to encrypt some bytes                |
|              |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-2097 |
+--------------+                  +          +                   +               +                                      +
| libssl1.1    |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
|              |                  |          |                   |               |                                      |
+--------------+------------------+----------+-------------------+---------------+--------------------------------------+

Node.js (node-pkg)
==================
Total: 37 (UNKNOWN: 0, LOW: 0, MEDIUM: 20, HIGH: 15, CRITICAL: 2)

+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
|     LIBRARY      |  VULNERABILITY ID   | SEVERITY | INSTALLED VERSION |        FIXED VERSION        |                    TITLE                     |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| @prisma/sdk      | CVE-2021-21414      | HIGH     | 2.14.0            | 2.20.0                      | Command injection                            |
|                  |                     |          |                   |                             | vulnerability in @prisma/sdk                 |
|                  |                     |          |                   |                             | in getPackedPackage function                 |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-21414        |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| ansi-regex       | CVE-2021-3807       |          | 5.0.0             | 3.0.1, 4.1.1, 5.0.1, 6.0.1  | nodejs-ansi-regex: Regular                   |
|                  |                     |          |                   |                             | expression denial of service                 |
|                  |                     |          |                   |                             | (ReDoS) matching ANSI escape codes           |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3807         |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| async            | CVE-2021-43138      |          | 3.2.0             | 2.6.4, 3.2.2                | Prototype Pollution in async                 |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-43138        |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| axios            | CVE-2021-3749       |          | 0.21.1            | 0.21.2                      | nodejs-axios: Regular expression             |
|                  |                     |          |                   |                             | denial of service in trim function           |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3749         |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| browserslist     | CVE-2021-23364      | MEDIUM   | 4.16.4            | 4.16.5                      | browserslist: parsing of                     |
|                  |                     |          |                   |                             | invalid queries could result in              |
|                  |                     |          |                   |                             | Regular Expression Denial of...              |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-23364        |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| class-validator  | CVE-2019-18413      |          | 0.13.1            |                             | SQL Injection and Cross-site                 |
|                  |                     |          |                   |                             | Scripting in class-validator                 |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2019-18413        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| follow-redirects | CVE-2022-0155       | HIGH     | 1.13.3            | 1.14.7                      | follow-redirects: Exposure of                |
|                  |                     |          |                   |                             | Private Personal Information                 |
|                  |                     |          |                   |                             | to an Unauthorized Actor                     |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0155         |
+                  +---------------------+----------+                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-0536       | MEDIUM   |                   | 1.14.8                      | follow-redirects: Exposure                   |
|                  |                     |          |                   |                             | of Sensitive Information via                 |
|                  |                     |          |                   |                             | Authorization Header leak                    |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0536         |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| glob-parent      | CVE-2020-28469      | HIGH     | 2.0.0             | 5.1.2                       | nodejs-glob-parent: Regular                  |
|                  |                     |          |                   |                             | expression denial of service                 |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2020-28469        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| markdown-it      | CVE-2022-21670      | MEDIUM   | 12.0.6            | 12.3.2                      | markdown-it is a Markdown                    |
|                  |                     |          |                   |                             | parser. Prior to version                     |
|                  |                     |          |                   |                             | 1.3.2, special patt ......                   |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-21670        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| minimist         | CVE-2021-44906      | CRITICAL | 1.2.5             | 1.2.6                       | minimist: prototype pollution                |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-44906        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| nanoid           | CVE-2021-23566      | MEDIUM   | 3.1.22            | 3.1.31                      | nanoid: Information disclosure               |
|                  |                     |          |                   |                             | via valueOf() function                       |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-23566        |
+                  +                     +          +-------------------+                             +                                              +
|                  |                     |          | 3.1.30            |                             |                                              |
|                  |                     |          |                   |                             |                                              |
|                  |                     |          |                   |                             |                                              |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| next             | CVE-2021-43803      | HIGH     | 12.0.4            | 11.1.3, 12.0.5              | Unexpected server crash in Next.js.          |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-43803        |
+                  +---------------------+----------+                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-21721      | MEDIUM   |                   | 12.0.9                      | Denial of Service                            |
|                  |                     |          |                   |                             | Vulnerability in next.js                     |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-21721        |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-23646      |          |                   | 12.1.0                      | Improper CSP in Image                        |
|                  |                     |          |                   |                             | Optimization API for Next.js                 |
|                  |                     |          |                   |                             | versions between 10.0.0 and...               |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-23646        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| next-auth        | CVE-2022-31093      | HIGH     | 3.15.5            | 4.5.0, 3.29.5               | Improper Handling of `callbackUrl`           |
|                  |                     |          |                   |                             | parameter in next-auth                       |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-31093        |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-31127      |          |                   | 4.9.0, 3.29.8               | Improper handling of email input             |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-31127        |
+                  +---------------------+----------+                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-24858      | MEDIUM   |                   | 4.3.2, 3.29.2               | NextAuth.js default redirect                 |
|                  |                     |          |                   |                             | callback vulnerable to open redirects        |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-24858        |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-29214      |          |                   | 4.3.3, 3.29.3               | URL Redirection to Untrusted Site            |
|                  |                     |          |                   |                             | ('Open Redirect') in next-auth               |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-29214        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| node-fetch       | CVE-2022-0235       | HIGH     | 2.6.1             | 2.6.7, 3.1.1                | node-fetch: exposure of sensitive            |
|                  |                     |          |                   |                             | information to an unauthorized actor         |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0235         |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| nodemailer       | CVE-2021-23400      | MEDIUM   | 6.5.0             | 6.6.1                       | The package nodemailer                       |
|                  |                     |          |                   |                             | before 6.6.1 are vulnerable                  |
|                  |                     |          |                   |                             | to HTTP Header Inje ......                   |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-23400        |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| path-parse       | CVE-2021-23343      |          | 1.0.6             | 1.0.7                       | nodejs-path-parse:                           |
|                  |                     |          |                   |                             | ReDoS via splitDeviceRe,                     |
|                  |                     |          |                   |                             | splitTailRe and splitPathRe                  |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-23343        |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| postcss          | CVE-2021-23382      |          | 6.0.23            | 7.0.36, 8.2.13              | nodejs-postcss: ReDoS                        |
|                  |                     |          |                   |                             | via getAnnotationURL()                       |
|                  |                     |          |                   |                             | and loadAnnotation()                         |
|                  |                     |          |                   |                             | in lib/previous-map.js                       |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-23382        |
+                  +                     +          +-------------------+                             +                                              +
|                  |                     |          | 8.2.10            |                             |                                              |
|                  |                     |          |                   |                             |                                              |
|                  |                     |          |                   |                             |                                              |
|                  |                     |          |                   |                             |                                              |
|                  |                     |          |                   |                             |                                              |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| tar              | CVE-2021-32803      | HIGH     | 6.1.0             | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink             |
|                  |                     |          |                   |                             | protection allowing arbitrary                |
|                  |                     |          |                   |                             | file creation and overwrite                  |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32803        |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2021-32804      |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute            |
|                  |                     |          |                   |                             | path sanitization allowing arbitrary         |
|                  |                     |          |                   |                             | file creation and overwrite                  |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32804        |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2021-37701      |          |                   | 6.1.7, 5.0.8, 4.4.16        | nodejs-tar: Insufficient symlink             |
|                  |                     |          |                   |                             | protection due to directory cache            |
|                  |                     |          |                   |                             | poisoning using symbolic links...            |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37701        |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2021-37712      |          |                   | 6.1.9, 5.0.10, 4.4.18       | nodejs-tar: Insufficient symlink             |
|                  |                     |          |                   |                             | protection due to directory cache            |
|                  |                     |          |                   |                             | poisoning using symbolic links...            |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37712        |
+                  +---------------------+          +                   +                             +----------------------------------------------+
|                  | CVE-2021-37713      |          |                   |                             | nodejs-tar: Arbitrary                        |
|                  |                     |          |                   |                             | File Creation/Overwrite on                   |
|                  |                     |          |                   |                             | Windows via insufficient                     |
|                  |                     |          |                   |                             | relative path sanitization                   |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37713        |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+
| url-parse        | CVE-2022-0686       | CRITICAL | 1.5.1             | 1.5.8                       | npm-url-parse: Authorization                 |
|                  |                     |          |                   |                             | bypass through user-controlled key           |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0686         |
+                  +---------------------+----------+                   +-----------------------------+----------------------------------------------+
|                  | CVE-2021-3664       | MEDIUM   |                   | 1.5.2                       | nodejs-url-parse: URL                        |
|                  |                     |          |                   |                             | Redirection to Untrusted Site                |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3664         |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-0512       |          |                   | 1.5.6                       | nodejs-url-parse: authorization              |
|                  |                     |          |                   |                             | bypass through user-controlled key           |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0512         |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-0639       |          |                   | 1.5.7                       | npm-url-parse: Authorization                 |
|                  |                     |          |                   |                             | Bypass Through User-Controlled Key           |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0639         |
+                  +---------------------+          +                   +-----------------------------+----------------------------------------------+
|                  | CVE-2022-0691       |          |                   | 1.5.9                       | npm-url-parse: authorization                 |
|                  |                     |          |                   |                             | bypass through user-controlled key           |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2022-0691         |
+------------------+---------------------+          +-------------------+-----------------------------+----------------------------------------------+
| validator        | CVE-2021-3765       |          | 13.6.0            | 13.7.0                      | validator.js is vulnerable                   |
|                  |                     |          |                   |                             | to Inefficient Regular                       |
|                  |                     |          |                   |                             | Expression Complexit ...                     |
|                  |                     |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3765         |
+                  +---------------------+          +                   +                             +----------------------------------------------+
|                  | GHSA-xx4c-jj58-r7x6 |          |                   |                             | Inefficient Regular Expression               |
|                  |                     |          |                   |                             | Complexity in Validator.js                   |
|                  |                     |          |                   |                             | -->github.com/advisories/GHSA-xx4c-jj58-r7x6 |
+------------------+---------------------+----------+-------------------+-----------------------------+----------------------------------------------+

app/node_modules/esbuild/bin/esbuild (gobinary)
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@vercel
Copy link

vercel bot commented Jul 9, 2022

Someone is attempting to deploy a commit to a Personal Account owned by @djyde on Vercel.

@djyde first needs to authorize it.

@n0vad3v
Copy link
Contributor Author

n0vad3v commented Jul 9, 2022

Maybe we can change Vercel check here as it seems shows fail on every PR 🤔.

@n0vad3v
Copy link
Contributor Author

n0vad3v commented Jul 9, 2022

I've added a workflow on GitHub action which will run on every PR, it will try to build the image and use trivy to scan the newly built image for security issues and then comment on PR.

@djyde
Copy link
Owner

djyde commented Aug 2, 2022

nice work!

@djyde djyde merged commit 54916e8 into djyde:dev Aug 2, 2022
@djyde djyde mentioned this pull request Aug 2, 2022
Merged
@djyde
Copy link
Owner

djyde commented Aug 2, 2022

Could you please make a new PR that target the main branch?

@n0vad3v
Copy link
Contributor Author

n0vad3v commented Aug 3, 2022

OK, so what's happening in #210?

@n0vad3v n0vad3v mentioned this pull request Aug 3, 2022
Merged
@n0vad3v
Copy link
Contributor Author

n0vad3v commented Aug 3, 2022

I've created PR at: #211

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@n0vad3v @djyde