Hi All,
I know a bit of Nix, but not enough to track down the source of the zlib dependency that is setting off grype
scanner on my Nix container, wondering if someone can chime in and help me work backwards to identify and fix the source of CVE-2023-45853 (Nix source will be included below in 3rd section).
Any assistance in troubleshooting would be greatly appreciated.
This is the scan that has flagged the vulnerability:
# grype my-springboot-app-docker:0.0.1
β Vulnerability DB [no update available]
β Loaded image my-springboot-docker:0.0.1
β Parsed image sha256:a00c4d81ff0bf24as45ac3647c9a08d33b893563ce52c4e196eb59d798df3aa9
β Cataloged contents 744769e40df51165fa16878994b13eff379f4ccf222784f79b7bd4261bd14784
βββ β Packages [112 packages]
βββ β File digests [1,483 files]
βββ β File metadata [1,483 locations]
βββ β Executables [330 executables]
β Scanned for vulnerabilities [1 vulnerability matches]
βββ by severity: 1 critical, 0 high, 0 medium, 0 low, 0 negligible
βββ by status: 0 fixed, 1 not-fixed, 0 ignored
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
zlib 1.3 nix CVE-2023-45853 Critical
This is the dive of the containerβs packages (arch = arm64):
+β nix
βββ store
βββ 0l8m0dfsdfsdfkssz2yyfwkdn739h6ad-my-springboot-app-0.0.1
βββ 2ac40x9r5nnpbprn9lds1nx4129h1sbs-gcc-12.3.0-lib
βββ 2ww2l3vz6ir4c9v58jwkvdhbi62pwlj0-libunistring-1.1
βββ 3bjvd4rmifnk31qj5m0jxlf85mr87p8v-alsa-lib-1.2.9
βββ 3xkjm07513fsj6xh8wn1hkj1d720bhjy-xgcc-12.3.0-libgcc
βββ 57dmbr3wqsmmfwn6gvaf97jaiim0w7j1-libpng-apng-1.6.40
βββ 8nj2b7hfqky7ma4c5hl2jxsc863iqc23-libjpeg-turbo-2.1.5.1
βββ 9gghrpwiplyi1s2czws4jl28y3gcan2m-alsa-ucm-conf-1.2.10
βββ a43p2cn7mzrwy6d6j6nrkzam2cl08did-zlib-1.3
β βββ lib
β β βββ libz.so β libz.so.1.3
β β βββ libz.so.1 β libz.so.1.3
β β βββ libz.so.1.3
β βββ share
β βββ man
β βββ man3
β βββ zlib.3.gz
βββ b0a4w2rls0bzav0zlz4kimb7gcasvksx-libidn2-2.3.4
βββ b5kq5kqw0qxjiyrl6ws74r98nspxlc2v-brotli-1.1.0-lib
βββ j9qfhr3bq705rai1vhjid6bn3pqkq1xc-lcms2-2.15
βββ vh78i6729d9kfv97q2id2z2cn8kzm5ay-glibc-2.38-44
βββ wrr5xnycsy8vlcjar8qbhlar9faw9ayj-alsa-topology-conf-1.2.5.1
βββ xd6yxkl270syr2raam6lr48bpsa2x3bv-freetype-2.13.2
βββ zvlrvpz3hcwaqnhrrxwnkwxh0x3x1kkw-gcc-12.3.0-libgcc
βββ zx3hg7xk5vpajky8xfwdlla72q2fcwsw-bzip2-1.0.8
Here is the Nix code I used to build the Java app and create the docker container my-springboot-app-docker.nix
; it expects a maven built java application with a pom.xml file:
{ pkgs ? import <nixpkgs> {} }:
let
# Package name will be based off of these
artifactId = "my-springboot-app";
artifactVersion = "0.0.1";
# Build our project
mavenPackage = pkgs.maven.buildMavenPackage ({
pname = artifactId;
version = artifactVersion;
src = ./.;
buildInputs = [ pkgs.maven pkgs.jdk21_headless ];
installPhase = ''
mkdir $out
cp target/*.jar $out/app.jar
# Build a custom minimal JRE
jlink --module-path $JAVA_HOME/jmods --add-modules java.base,java.naming,java.management,java.desktop --strip-debug --no-header-files --no-man-pages --output $out/jre
'';
mvnHash = ""; # FIXME: first run will download and spit out the maven hash to be put here
});
# Build our Docker image
dockerImage = pkgs.dockerTools.buildLayeredImage {
name = "${artifactId}-docker";
tag = "${artifactVersion}";
contents = [
mavenPackage
];
config = {
Cmd = [ "${mavenPackage}/jre/bin/java" "-jar" "${mavenPackage}/app.jar" ];
ExposedPorts = {
"8080/tcp" = {};
};
};
};
in
dockerImage
nix-build my-springboot-app-docker.nix
docker load < result
grype my-springboot-app-docker:0.0.1
dive my-springboot-app-docker:0.0.1