The need for dependency checks while building software is crucial. Dependency vulnerabilities can be quite dangerous and can lead to vulnerabilities in the final product. In addition to that, every penetration test will definitely check for dependency vulnerabilities.

The American National Institute of Standards and Technology (NIST) provides data with information about commonly used dependencies and their vulnerabilities. The service uptime of National Vulnerabilities Data (NVD) is generally not as great as someone would think. Since all of the libraries that do the dependency check for your project rely on the data provided by the NIST service, the outcome of the check generally results in failure when the data is not available, thus mirroring the data provides the needed stability and improves the overall time needed for the check. 

Among the “NVD data mirror” Google search results we found a promising project over at stevespringett/nist-data-mirror and we chose it. The reason for this choice was because our project is running on OpenShift, which is basically a fork of Kubernetes by RedHat with some added new features, and among those features, they disabled root privileges inside containers. At first, that seems like a bad feature but once you get used to it, you understand the need and the pros it brings with it. Regarding that, RedHat has provided their versions of the commonly used Docker images that can be deployed without root privileges. That would all be good if some open source images did not need root privileges and because of that deploying them on OpenShift becomes a pain. One of those is the mentioned NIST NVD Data mirror.

The nist-data-mirror is a very simple service, it mirrors the data and spins up an httpd server for the mirrored data to be fetchable. Supervisord inside the mirror image is configured to run as root as seen in the supervisor.conf file . 

Well the first idea would be to just remove that and let it run as a non root user. OpenShift just gives a random user id and username to the user running in the container so it is not possible to hardcode the username or userid. Once that line is deleted, the deployment fails with the error:

foo@bar:~$ oc logs nist-data-mirror-2-6zsnv
Error: Can't drop privilege as nonroot user
For help, use /usr/bin/supervisord -h

After some analysis we found a solution, what we did is we used the mirror sspringett/nvdmirror image to mirror the NIST data into a PVC volume. That is possible since the mirror.sh script does not need the root privileges. We launched a separate instance of httpd (from rhel8/httpd-24) and with the same PVC volume mounted exposed a route and the mirrored data became available. The only thing left was to update that data periodically. Since the container dies after the mirror.sh script finishes, we created an OpenShift’s cron job  to run the mirror.sh, and the httpd will expose the new data it fetches. 

oban
Software DevelopmentTech Bites
February 23, 2024

Background Jobs in Elixir – Oban

When and why do we need background jobs? Nowadays, background job processing is indispensable in the world of web development. The need for background jobs stems from the fact that synchronous execution of time-consuming and resource-intensive tasks would heavily impact an application's  performance and user experience.  Even though Elixir is…
redis
Software DevelopmentTech Bites
December 22, 2023

In-memory Caching using Redis

The importance of computer memory utilization The CPU and memory are the main components of any computer system. Computer memory stores data and program instructions, temporarily or permanently, that the CPU processes. In CPU-intensive applications with large amounts of data being processed, memory usually becomes the bottleneck, resulting in a…
JavaScript Event Loop
Software DevelopmentTech Bites
December 21, 2023

JavaScript Event Loop

Often, when switching to JavaScript from any other language, developers face many frustrations. That’s because JavaScript has some unique features that may not be obvious or intuitive to those who have not used it before. When we first start learning JavaScript, we are told it executes the code line-by-line. console.log("Beginning");…

Want to discuss this in relation to your project? Get in touch:

Leave a Reply