maxcve

command module

v0.0.0-...-1cad9a8 Latest Latest Go to latest Published: Apr 2, 2024 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/imjasonh/maxcve

Links

Open Source Insights

README ¶

MAXIMUM CVEs

This repo generates a container image that maximizes the number of CVEs in the image, while minimizing the size of the image.

$ grype ghcr.io/chainguard-dev/maxcve/maxcve 1> /dev/null
   ├── ✔ Packages                        [48,215 packages]
   └── ✔ Executables                     [0 executables]
 ✔ Scanned for vulnerabilities     [290565 vulnerability matches]
   ├── by severity: 5968 critical, 50545 high, 38097 medium, 1390 low, 0 negligible (194565 unknown)
   └── by status:   282221 fixed, 8344 not-fixed, 0 ignored

(As of March 28, 2024)

Or, if you prefer to consume data visually:

Zero negligible vulns, nice!

Real minimal base image for scale

Development

go run . ttl.sh/maxcve

How it works

To minimize size, the image doesn't actually contain any packages. In fact, it only contains two files:

/etc/os-release, which tells scanners the image is a Wolfi image.
/lib/apk/db/installed, which tells scanners what packages the image contains -- i.e., that it contains every version of every package that Wolfi has ever produced.

Wolfi aims to reduce the number of vulnerable packages by producing new fixed packages as soon as possible. But, along the way, it also produces lots and lots of packages, and those packages over time do have vulnerabilities discovered in them. This image claims to contain all of them.

Amusingly, it takes about 500ms to build and push the image, and almost two minutes to scan it.

Why?

Aside from being fun, this image demonstrates how scanners work -- and importantly, how they don't work.

At their most basic, scanners require images (1) tell them what OS they are, and (2) tell them what packages they contain. This image does both, but it does so in a way that is misleading.

For a similar (but opposite) demonstration of this, see Malicious Compliance: Reflections on Trusting Container Scanners. In that talk, they mislead the scanner into finding fewer CVEs in the presence of vulnerable packages. In this demonstration, we mislead the scanner into finding vulnerabilities without installing any packages.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL