Deployment of a NIST data mirror on OpenShift

The need for dependency checks while building software is crucial. Dependency vulnerabilities can be quite dangerous and can lead to vulnerabilities in the final product. In addition to that, every penetration test will definitely check for dependency vulnerabilities.

The American National Institute of Standards and Technology (NIST) provides data with information about commonly used dependencies and their vulnerabilities. The service uptime of National Vulnerabilities Data (NVD) is generally not as great as someone would think. Since all of the libraries that do the dependency check for your project rely on the data provided by the NIST service, the outcome of the check generally results in failure when the data is not available, thus mirroring the data provides the needed stability and improves the overall time needed for the check. 

Among the “NVD data mirror” Google search results we found a promising project over at stevespringett/nist-data-mirror and we chose it. The reason for this choice was because our project is running on OpenShift, which is basically a fork of Kubernetes by RedHat with some added new features, and among those features, they disabled root privileges inside containers. At first, that seems like a bad feature but once you get used to it, you understand the need and the pros it brings with it. Regarding that, RedHat has provided their versions of the commonly used Docker images that can be deployed without root privileges. That would all be good if some open source images did not need root privileges and because of that deploying them on OpenShift becomes a pain. One of those is the mentioned NIST NVD Data mirror.

The nist-data-mirror is a very simple service, it mirrors the data and spins up an httpd server for the mirrored data to be fetchable. Supervisord inside the mirror image is configured to run as root as seen in the supervisor.conf file . 

Well the first idea would be to just remove that and let it run as a non root user. OpenShift just gives a random user id and username to the user running in the container so it is not possible to hardcode the username or userid. Once that line is deleted, the deployment fails with the error:

foo@bar:~$ oc logs nist-data-mirror-2-6zsnv
Error: Can't drop privilege as nonroot user
For help, use /usr/bin/supervisord -h

After some analysis we found a solution, what we did is we used the mirror sspringett/nvdmirror image to mirror the NIST data into a PVC volume. That is possible since the mirror.sh script does not need the root privileges. We launched a separate instance of httpd (from rhel8/httpd-24) and with the same PVC volume mounted exposed a route and the mirrored data became available. The only thing left was to update that data periodically. Since the container dies after the mirror.sh script finishes, we created an OpenShift’s cron job  to run the mirror.sh, and the httpd will expose the new data it fetches.