Private keys stored in pactfoundation/pact-cli docker image

[atucznio]

Pre issue-raising checklist

I have already (please mark the applicable with an x):

• [ x] Upgraded to the latest version of the relevant libraries
• [ x] Checked to see if the issue has already been raised
• [ x] Created an executable example that demonstrates the issue using either:
  • a Dockerfile
  • a fork of https://github.com/pact-foundation/pact-ruby-standalone-e2e-example
  • a Git repository with a Travis or Appveyor (or similar) build
  • a gist with all the relevant code and full instructions on how to run it

Dockerfile contains only FROM pactfoundation/pact-cli:latest

Software versions

• pact library: pactfoundation/pact-cli:latest docker image
• pact-ruby-standalone: -
• OS: -

Expected behaviour

Private keys NOT stored in image - security issue

Actual behaviour

Private keys stored in pactfoundation/pact-cli docker image

Steps to reproduce

Build docker image from https://hub.docker.com/r/pactfoundation/pact-cli/tags

Relevent log files

Security scans raised this issue

[YOU54F]

Which PK are you referring to, your report doesn't provide enough detail.

Please provide the output of your scan

Security scans raised this issue

Note: I've transferred this issue to the repository in which the docker image is generated 👍🏾

[atucznio]

Thank you for transfering the issue. Here are the logs from security scan:

Found: /usr/lib/ruby/gems/3.2.0/gems/pact_broker-client-1.75.0/spec/fixtures/certificates/ca_key.pem, /usr/lib/ruby/gems/3.2.0/gems/pact_broker-client-1.75.0/spec/fixtures/certificates/key.pem, /usr/lib/ruby/gems/3.2.0/gems/pact_broker-client-1.75.0/spec/fixtures/certificates/unsigned_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/alternate_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/child_key.pem,
/usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/data/gem-private_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/encrypted_private_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/grandchild_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/invalid_client.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/invalid_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/invalidchild_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/private3072_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/private_ec_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/private_key.pem, /usr/lib/ruby/gems/3.2.0/gems/rubygems-update-3.4.22/test/rubygems/ssl_key.pem

[YOU54F]

Hey,

So I've removed the test files from pact_broker-client in PR and removed the ruby-gems system update post install in PR

With the current codebase, the only pem files contained are those of the underlying system and those required by ruby.

The image is being released now

Hope that helps :)

Output from my local machine after building

 => => naming to docker.io/library/pact                                                                                                                                                                                         0.0s

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/lnkngxx99r0prht4j670ijp9k

What's next:
    View a summary of image vulnerabilities and recommendations → docker scout quickview 

pact-ruby-cli on  master@origin:master [$!] via 🐳 desktop-linux via 💎 v3.3.4 took 13s 
🕙17:18:25 ❯ docker run --rm -it pact /bin/sh
~ # find / -name '*.pem'
/usr/local/lib/site_ruby/3.3.0/rubygems/ssl_certs/rubygems.org/GlobalSignRootCA_R3.pem
/usr/local/lib/site_ruby/3.3.0/rubygems/ssl_certs/rubygems.org/GlobalSignRootCA.pem
/etc/ssl1.1/cert.pem
/etc/ssl/certs/ca-cert-Certigna_Root_CA.pem
/etc/ssl/certs/ca-cert-AffirmTrust_Commercial.pem
/etc/ssl/certs/ca-cert-Baltimore_CyberTrust_Root.pem
/etc/ssl/certs/ca-cert-QuoVadis_Root_CA_3.pem
/etc/ssl/certs/ca-cert-BJCA_Global_Root_CA1.pem
/etc/ssl/certs/ca-cert-Trustwave_Global_Certification_Authority.pem
/etc/ssl/certs/ca-cert-SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
/etc/ssl/certs/ca-cert-CommScope_Public_Trust_RSA_Root-01.pem
/etc/ssl/certs/ca-cert-ePKI_Root_Certification_Authority.pem
/etc/ssl/certs/ca-cert-emSign_Root_CA_-_C1.pem
/etc/ssl/certs/ca-cert-UCA_Global_G2_Root.pem
/etc/ssl/certs/ca-cert-D-TRUST_Root_Class_3_CA_2_EV_2009.pem
/etc/ssl/certs/ca-cert-Telekom_Security_TLS_RSA_Root_2023.pem
/etc/ssl/certs/ca-cert-NAVER_Global_Root_Certification_Authority.pem
/etc/ssl/certs/ca-cert-TunTrust_Root_CA.pem
/etc/ssl/certs/ca-cert-Amazon_Root_CA_2.pem
/etc/ssl/certs/ca-cert-Certigna.pem
/etc/ssl/certs/ca-cert-Trustwave_Global_ECC_P256_Certification_Authority.pem
/etc/ssl/certs/ca-cert-Security_Communication_RootCA2.pem
/etc/ssl/certs/ca-cert-DigiCert_Assured_ID_Root_G3.pem
/etc/ssl/certs/ca-cert-Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/etc/ssl/certs/ca-cert-emSign_ECC_Root_CA_-_C3.pem
/etc/ssl/certs/ca-cert-TWCA_Global_Root_CA.pem
/etc/ssl/certs/ca-cert-Amazon_Root_CA_1.pem
/etc/ssl/certs/ca-cert-GTS_Root_R2.pem
/etc/ssl/certs/ca-cert-D-TRUST_Root_Class_3_CA_2_2009.pem
/etc/ssl/certs/ca-cert-DigiCert_Assured_ID_Root_CA.pem
/etc/ssl/certs/ca-cert-TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
/etc/ssl/certs/ca-cert-OISTE_WISeKey_Global_Root_GB_CA.pem
/etc/ssl/certs/ca-cert-Telia_Root_CA_v2.pem
/etc/ssl/certs/ca-cert-UCA_Extended_Validation_Root.pem
/etc/ssl/certs/ca-cert-Amazon_Root_CA_3.pem
/etc/ssl/certs/ca-cert-SSL.com_Root_Certification_Authority_RSA.pem
/etc/ssl/certs/ca-cert-TeliaSonera_Root_CA_v1.pem
/etc/ssl/certs/ca-cert-T-TeleSec_GlobalRoot_Class_3.pem
/etc/ssl/certs/ca-cert-BJCA_Global_Root_CA2.pem
/etc/ssl/certs/ca-cert-e-Szigno_Root_CA_2017.pem
/etc/ssl/certs/ca-cert-T-TeleSec_GlobalRoot_Class_2.pem
/etc/ssl/certs/ca-cert-SSL.com_TLS_RSA_Root_CA_2022.pem
/etc/ssl/certs/ca-cert-COMODO_RSA_Certification_Authority.pem
/etc/ssl/certs/ca-cert-QuoVadis_Root_CA_3_G3.pem
/etc/ssl/certs/ca-cert-Starfield_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/ca-cert-vTrus_Root_CA.pem
/etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority.pem
/etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority_-_G2.pem
/etc/ssl/certs/ca-cert-Entrust.net_Premium_2048_Secure_Server_CA.pem
/etc/ssl/certs/ca-cert-GlobalSign_Root_R46.pem
/etc/ssl/certs/ca-cert-GDCA_TrustAUTH_R5_ROOT.pem
/etc/ssl/certs/ca-cert-AffirmTrust_Premium_ECC.pem
/etc/ssl/certs/ca-cert-CommScope_Public_Trust_ECC_Root-02.pem
/etc/ssl/certs/ca-cert-DigiCert_TLS_ECC_P384_Root_G5.pem
/etc/ssl/certs/ca-cert-IdenTrust_Public_Sector_Root_CA_1.pem
/etc/ssl/certs/ca-cert-AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
/etc/ssl/certs/ca-cert-Security_Communication_RootCA3.pem
/etc/ssl/certs/ca-cert-IdenTrust_Commercial_Root_CA_1.pem
/etc/ssl/certs/ca-cert-GlobalSign_Root_E46.pem
/etc/ssl/certs/ca-cert-DigiCert_High_Assurance_EV_Root_CA.pem
/etc/ssl/certs/ca-cert-Hongkong_Post_Root_CA_3.pem
/etc/ssl/certs/ca-cert-Certainly_Root_R1.pem
/etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority_-_G4.pem
/etc/ssl/certs/ca-cert-Actalis_Authentication_Root_CA.pem
/etc/ssl/certs/ca-cert-TWCA_Root_Certification_Authority.pem
/etc/ssl/certs/ca-cert-ACCVRAIZ1.pem
/etc/ssl/certs/ca-cert-ISRG_Root_X1.pem
/etc/ssl/certs/ca-cert-Certum_Trusted_Network_CA.pem
/etc/ssl/certs/ca-cert-FIRMAPROFESIONAL_CA_ROOT-A_WEB.pem
/etc/ssl/certs/ca-cert-Sectigo_Public_Server_Authentication_Root_E46.pem
/etc/ssl/certs/ca-cert-Go_Daddy_Class_2_CA.pem
/etc/ssl/certs/ca-cert-GlobalSign_Root_CA_-_R3.pem
/etc/ssl/certs/ca-cert-AffirmTrust_Premium.pem
/etc/ssl/certs/ca-cert-Buypass_Class_3_Root_CA.pem
/etc/ssl/certs/ca-cert-CommScope_Public_Trust_RSA_Root-02.pem
/etc/ssl/certs/ca-cert-emSign_ECC_Root_CA_-_G3.pem
/etc/ssl/certs/ca-cert-QuoVadis_Root_CA_2.pem
/etc/ssl/certs/ca-cert-SZAFIR_ROOT_CA2.pem
/etc/ssl/certs/ca-cert-ISRG_Root_X2.pem
/etc/ssl/certs/ca-cert-GlobalSign_Root_CA.pem
/etc/ssl/certs/ca-cert-GTS_Root_R3.pem
/etc/ssl/certs/ca-cert-CFCA_EV_ROOT.pem
/etc/ssl/certs/ca-cert-Sectigo_Public_Server_Authentication_Root_R46.pem
/etc/ssl/certs/ca-cert-Microsec_e-Szigno_Root_CA_2009.pem
/etc/ssl/certs/ca-cert-Atos_TrustedRoot_Root_CA_ECC_TLS_2021.pem
/etc/ssl/certs/ca-cert-DigiCert_Global_Root_G2.pem
/etc/ssl/certs/ca-cert-emSign_Root_CA_-_G1.pem
/etc/ssl/certs/ca-cert-Buypass_Class_2_Root_CA.pem
/etc/ssl/certs/ca-cert-Go_Daddy_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/ca-cert-D-TRUST_BR_Root_CA_1_2020.pem
/etc/ssl/certs/ca-cert-Secure_Global_CA.pem
/etc/ssl/certs/ca-cert-Atos_TrustedRoot_Root_CA_RSA_TLS_2021.pem
/etc/ssl/certs/ca-cert-Starfield_Services_Root_Certificate_Authority_-_G2.pem
/etc/ssl/certs/ca-cert-DigiCert_Trusted_Root_G4.pem
/etc/ssl/certs/ca-cert-Starfield_Class_2_CA.pem
/etc/ssl/certs/ca-cert-HARICA_TLS_ECC_Root_CA_2021.pem
/etc/ssl/certs/ca-cert-CA_Disig_Root_R2.pem
/etc/ssl/certs/ca-cert-SSL.com_Root_Certification_Authority_ECC.pem
/etc/ssl/certs/ca-cert-COMODO_Certification_Authority.pem
/etc/ssl/certs/ca-cert-Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
/etc/ssl/certs/ca-cert-XRamp_Global_CA_Root.pem
/etc/ssl/certs/ca-cert-SwissSign_Gold_CA_-_G2.pem
/etc/ssl/certs/ca-cert-AC_RAIZ_FNMT-RCM.pem
/etc/ssl/certs/ca-cert-Microsoft_ECC_Root_Certificate_Authority_2017.pem
/etc/ssl/certs/ca-cert-USERTrust_ECC_Certification_Authority.pem
/etc/ssl/certs/ca-cert-Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
/etc/ssl/certs/ca-cert-Telekom_Security_TLS_ECC_Root_2020.pem
/etc/ssl/certs/ca-cert-certSIGN_Root_CA_G2.pem
/etc/ssl/certs/ca-cert-QuoVadis_Root_CA_1_G3.pem
/etc/ssl/certs/ca-cert-HARICA_TLS_RSA_Root_CA_2021.pem
/etc/ssl/certs/ca-cert-QuoVadis_Root_CA_2_G3.pem
/etc/ssl/certs/ca-cert-TrustAsia_Global_Root_CA_G3.pem
/etc/ssl/certs/ca-cert-DigiCert_Assured_ID_Root_G2.pem
/etc/ssl/certs/ca-cert-D-TRUST_EV_Root_CA_1_2020.pem
/etc/ssl/certs/ca-cert-Comodo_AAA_Services_root.pem
/etc/ssl/certs/ca-cert-Amazon_Root_CA_4.pem
/etc/ssl/certs/ca-cert-DigiCert_Global_Root_CA.pem
/etc/ssl/certs/ca-cert-TrustAsia_Global_Root_CA_G4.pem
/etc/ssl/certs/ca-cert-GlobalSign_ECC_Root_CA_-_R5.pem
/etc/ssl/certs/ca-cert-GlobalSign_Root_CA_-_R6.pem
/etc/ssl/certs/ca-cert-Microsoft_RSA_Root_Certificate_Authority_2017.pem
/etc/ssl/certs/ca-cert-SwissSign_Silver_CA_-_G2.pem
/etc/ssl/certs/ca-cert-Certainly_Root_E1.pem
/etc/ssl/certs/ca-cert-ANF_Secure_Server_Root_CA.pem
/etc/ssl/certs/ca-cert-vTrus_ECC_Root_CA.pem
/etc/ssl/certs/ca-cert-SSL.com_TLS_ECC_Root_CA_2022.pem
/etc/ssl/certs/ca-cert-Certum_Trusted_Network_CA_2.pem
/etc/ssl/certs/ca-cert-COMODO_ECC_Certification_Authority.pem
/etc/ssl/certs/ca-cert-AffirmTrust_Networking.pem
/etc/ssl/certs/ca-cert-Certum_EC-384_CA.pem
/etc/ssl/certs/ca-cert-GTS_Root_R4.pem
/etc/ssl/certs/ca-cert-Entrust_Root_Certification_Authority_-_EC1.pem
/etc/ssl/certs/ca-cert-Security_Communication_ECC_RootCA1.pem
/etc/ssl/certs/ca-cert-certSIGN_ROOT_CA.pem
/etc/ssl/certs/ca-cert-SecureTrust_CA.pem
/etc/ssl/certs/ca-cert-SecureSign_RootCA11.pem
/etc/ssl/certs/ca-cert-DigiCert_Global_Root_G3.pem
/etc/ssl/certs/ca-cert-USERTrust_RSA_Certification_Authority.pem
/etc/ssl/certs/ca-cert-CommScope_Public_Trust_ECC_Root-01.pem
/etc/ssl/certs/ca-cert-Certum_Trusted_Root_CA.pem
/etc/ssl/certs/ca-cert-Trustwave_Global_ECC_P384_Certification_Authority.pem
/etc/ssl/certs/ca-cert-GlobalSign_ECC_Root_CA_-_R4.pem
/etc/ssl/certs/ca-cert-NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem
/etc/ssl/certs/ca-cert-HiPKI_Root_CA_-_G1.pem
/etc/ssl/certs/ca-cert-DigiCert_TLS_RSA4096_Root_G5.pem
/etc/ssl/certs/ca-cert-Izenpe.com.pem
/etc/ssl/certs/ca-cert-OISTE_WISeKey_Global_Root_GC_CA.pem
/etc/ssl/certs/ca-cert-GTS_Root_R1.pem
/etc/ssl/certs/ca-cert-SSL.com_EV_Root_Certification_Authority_ECC.pem
/etc/ssl/certs/ca-cert-Atos_TrustedRoot_2011.pem
/etc/ssl/cert.pem