Develop Reference

Logstash 8.0.0 triggers "insecure dependency" alerts, how do you fix it?

We're trying to build a Docker container that contains Logstash-8.0.0 (the latest version, came out yesterday), such that it can be scanned with Trivy and not have any "HIGH" or "CRITICAL" severity alerts.
It's proving very hard to do, as we're not proficient with Java, Ruby, or JRuby.
If we have a Dockerfile that has the Elastic repository in it:
$ cat /etc/apt/sources.list.d/elastic-8.x.list
deb https://artifacts.elastic.co/packages/8.x/apt stable main
And we install logstash:
$ sudo apt-get update
$ sudo apt-get install logstash
Then install and run trivy:
$ curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b .
$ sudo trivy fs -s HIGH,CRITICAL /
We get one critical and two high severity alerts, concerning ruby gems listed in /usr/share/logstash/Gemfile.lock:
usr/share/logstash/Gemfile.lock (bundler)
=========================================
Total: 3 (HIGH: 2, CRITICAL: 1)
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION | TITLE |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| json | CVE-2020-10663 | HIGH | 1.8.6-java | >= 2.3.0 | rubygem-json: Unsafe object |
| | | | | | creation vulnerability in JSON |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-10663 |
+----------+------------------+----------+-------------------+ +---------------------------------------+
| kramdown | CVE-2020-14001 | CRITICAL | 1.14.0 | | rubygem-kramdown: processing template |
| | | | | | options inside documents allows |
| | | | | | unintended read access or embedded... |
| | | | | | -->avd.aquasec.com/nvd/cve-2020-14001 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| nokogiri | CVE-2021-41098 | HIGH | 1.12.5-java | >= 1.12.5 | rubygem-nokogiri: XEE on JRuby |
| | | | | | -->avd.aquasec.com/nvd/cve-2021-41098 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
By changing the path to include the appropriate(?) directories, we can run ruby, jruby, gem and bundle:
$ export PATH=/usr/share/logstash/bin:/usr/share/logstash/vendor/jruby/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:.
But we're a bit at a loss as to what to try next. So far, it looks like editing /usr/share/logstash/Gemfile to have the right versions of json and nokogiri and commenting out the gems that are marked :development and then run bundle install; bundle update is the way to go:
diff --git a/Gemfile b/Gemfile
index 6e90ef4..1054cb3 100644
--- a/Gemfile
+++ b/Gemfile
## -6,7 +6,8 ## gem "logstash-core", :path => "./logstash-core"
gem "logstash-core-plugin-api", :path => "./logstash-core-plugin-api"
gem "atomic", "~> 1"
gem "builder", "~> 3"
-gem "json", "~> 1"
+gem "json", "~> 2.3.0"
+gem "nokogiri", "1.12.5"
gem "paquet", "~> 0.2"
gem "pleaserun", "~>0.0.28"
gem "rake", "~> 12"
## -18,15 +19,6 ## gem "gems", "~> 1", :group => :build
gem "octokit", "~> 4", :group => :build
gem "rubyzip", "~> 1", :group => :build
gem "stud", "~> 0.0.22", :group => :build
-# gem "belzebuth", :group => :development
-# gem "benchmark-ips", :group => :development
-# # # gem "ci_reporter_rspec", "~> 1", :group => :development
-# gem "flores", "~> 0.0.6", :group => :development
-# gem "json-schema", "~> 2", :group => :development
-# gem "logstash-devutils", "~> 1", :group => :development
-# gem "rack-test", :require => "rack/test", :group => :development
-# gem "rspec", "~> 3.5", :group => :development
-# gem "webmock", "~> 3", :group => :development
gem "logstash-codec-avro"
gem "logstash-codec-cef"
gem "logstash-codec-collectd"
But it seems that the Gemfile.lock file was created by bundler 2.3.6, which is not installed. When we installed bundler 2.3.6, it complained about an unexpected error with openssl. So, upgraded to bundler 2.3.7 (also released yesterday!), and it succeeded with bundle install. But now logstash won't run:
[FATAL] 2022-02-10 18:12:40.504 [main] Logstash - Logstash stopped
processing because of an error: (GemNotFound) Could not find
logstash-filter-elasticsearch-3.11.1,
logstash-filter-http-1.3.0,
logstash-filter-kv-4.6.0,
logstash-input-beats-6.2.6-java,
logstash-input-dead_letter_queue-1.1.10,
logstash-input-http_poller-5.2.0,
logstash-input-sqs-3.2.0,
logstash-input-tcp-6.2.7-java,
logstash-integration-elastic_enterprise_search-2.2.1,
logstash-integration-
kafka-10.10.0-java,
logstash-output-http-5.4.0,
logstash-output-tcp-6.0.1,
puma-5.6.1-java,
jruby-openssl-0.12.1-java,
i18n-1.9.1,
elasticsearch-7.17.0,
logstash-mixin-http_client-7.1.0,
json-2.6.1-java,
redis-4.6.0,
logstash-mixin-aws-5.0.0,
elastic-enterprise-search-7.16.0,
sequel-5.53.0,
elasticsearch-api-7.17.0,
elasticsearch-transport-7.17.0
in any of the sources
Edit: Figured it out!
This makes logstash find the updated ruby gems:
# cd /usr/share/logstash/vendor/jruby/lib/ruby/gems/shared
# tar c . | ( cd /usr/share/logstash/vendor/bundle/jruby/2.5.0; tar x )
This makes trivy stop complaining about snakeyaml-1.23 while letting logstash keep working:
# rm /usr/share/logstash/logstash-core/lib/jars/snakeyaml-1.23.jar
# cp /usr/share/logstash/vendor/jruby/lib/ruby/stdlib/org/yaml/snakeyaml/1.26/snakeyaml-1.26.jar /usr/share/logstash/logstash-core/lib/jars
This cleans up the other trivy jar alerts:
# rm -rf ~/.m2 # Delete maven cache
Cheers!

It was long and involved, but updating to logstash-8.0.0 allowed bundler-2.3.7 to work, and then copying the gems from one directory to another let logstash actually find the gems.
Details added to question.
Cheers!

How can i pass the '-t azure://' target into a ruby inspec script?

If in my script I want to test azure resources using a ruby library (not inspec binary) running in a container:
def my_resource_groups
rg = Inspec::Runner.new(conf={:vendor_cache=>'/app'})
rg.add_target('/app/profiles/azure')
rg.run
end
my_resource_groups()
with this inspec.yml definition
name: inspector
title: Azure InSpec Profile
maintainer: The Authors
copyright: The Authors
copyright_email: you#example.com
license: Apache-2.0
summary: An InSpec Compliance Profile For Azure
version: 0.1.0
inspec_version: '>= 2.2.7'
depends:
- name: inspec-azure
url: https://github.com/inspec/inspec-azure/archive/master.tar.gz
And this test:
title "Azure Resource group spike"
control 'azure_resource_groups' do
describe azure_resource_group do
its('names') { should include 'my_resource_group1' }
end
end
I get:
Skipping profile: 'inspector' on unsupported platform: 'debian/10.7'.
How do I pass the equivalent -t azure:// argument to my ruby script, in the same way as I would if I did this:
sudo docker run \
-v /home/vagrant/scratch/share:/share \
-e AZURE_CLIENT_SECRET="some_secret" \
-e AZURE_CLIENT_ID="some_client_id" \
-e AZURE_TENANT_ID="some_tenant_id" \
-e AZURE_SUBSCRIPTION_ID="some_subscription_id" \
chef/inspec \
exec /share/inspector \
-t azure:// \
--chef-license=accept

just in case anyone else comes across this headache, pass the options as a map into the runner object when you instantiate it. (note the vendor cache was tidied up as well)
def my_resource_groups
rg = Inspec::Runner.new({:target=>'azure://',:vendor_cache=>'/app'})
rg.add_target('/app/profiles/azure')
rg.run
end
my_resource_groups()

Trying to make my first gem and installation isn't working correctly

I've written a gem and have installed it, despite this gem which does not find the gem, nor does require 'gem_name'
Here is my gemspec
# coding: utf-8
lib = File.expand_path('../lib', __FILE__)
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
require 'faker/faker-rpg/version'
Gem::Specification.new do |spec|
spec.name = "faker-rpg"
spec.version = Faker::Rpg::VERSION
spec.authors = [""]
spec.email = [""]
spec.summary = ""
spec.description = ""
spec.homepage = ""
spec.license = "MIT"
spec.files = `git ls-files -z`.split("\x0")
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
spec.require_paths = ["lib"]
spec.add_development_dependency "bundler", "~> 1.5"
spec.add_development_dependency "rake"
end
gem list does find the gem
gem list faker-rpg
*** LOCAL GEMS ***
faker-rpg (0.0.1)
It is definitely installed to the gem folder
ls /Users/User/.rvm/gems/ruby-2.0.0-p353/gems/ | grep faker-rpg
faker-rpg-0.0.1
And this is the file structure of faker-rpg-0.0.1 inside the above gems folder
ls -R
Gemfile Rakefile
LICENSE.txt faker-rpg.gemspec
README.md lib
./lib:
faker locales
./lib/faker:
faker-rpg faker-rpg.rb
./lib/faker/faker-rpg:
version.rb
./lib/locales:
faker.en.yml
gem which won't find the gem
gem which faker-rpg
ERROR: Can't find ruby library file or shared library faker-rpg
In the ruby console require won't work
2.0.0-p353 :001 > require 'faker-rpg'
LoadError: cannot load such file -- faker-rpg
And here is what gem spec faker-rpg gives
gem spec faker-rpg
--- !ruby/object:Gem::Specification
name: faker-rpg
version: !ruby/object:Gem::Version
version: 0.0.1
platform: ruby
authors:
- ''
autorequire:
bindir: bin
cert_chain: []
date: 2014-06-25 00:00:00.000000000 Z
dependencies:
- !ruby/object:Gem::Dependency
name: bundler
requirement: !ruby/object:Gem::Requirement
requirements:
- - ~>
- !ruby/object:Gem::Version
version: '1.5'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - ~>
- !ruby/object:Gem::Version
version: '1.5'
- !ruby/object:Gem::Dependency
name: rake
requirement: !ruby/object:Gem::Requirement
requirements:
- - '>='
- !ruby/object:Gem::Version
version: '0'
type: :development
prerelease: false
version_requirements: !ruby/object:Gem::Requirement
requirements:
- - '>='
- !ruby/object:Gem::Version
version: '0'
description: ''
email:
- ''
executables: []
extensions: []
extra_rdoc_files: []
files: []
homepage: ''
licenses:
- MIT
metadata: {}
post_install_message:
rdoc_options: []
require_paths:
- lib
required_ruby_version: !ruby/object:Gem::Requirement
requirements:
- - '>='
- !ruby/object:Gem::Version
version: '0'
required_rubygems_version: !ruby/object:Gem::Requirement
requirements:
- - '>='
- !ruby/object:Gem::Version
version: '0'
requirements: []
rubyforge_project:
rubygems_version: 2.2.2
signing_key:
specification_version: 4
summary: ''
test_files: []
I've found multiple questions about this, and none of the answers that were accepted solved my problem.
The only thing I can think of is that gemspec has the line 'files: []' but the files are definitely in the gem installed to the gems folder.
Does anyone have an ideas?

The gem is actually installed correctly, it’s just you haven’t got your lib paths quite right. Try running gem which faker/faker-rpg to see.
You just need to move the contents of lib/faker up a level, so that they are directly under lib. Currently you are searching for faker-rpg.rb, but that file only exists as faker/faker-rpg.rb, so it isn’t being found.
You’ll probably need to adjust some other parts to make it all work. You don’t mention what is in the locales directory – it might be better to move that under the faker-rpg directory as well. Also the require line in your gemspec where you get the version will need to be adjusted.

How to manage multiple package dependencies with checkinstall?

I have a package that I've been building using checkinstall for a while now, and I wanted to automate it (pass the values in via command line instead of typing the selection, pasting the value in, etc...)
I am not sure if this is a checkinstall bug, or not, but how can I include multiple packages via the command line --requires option. It seems to barf if I include the minimum version of a package (for exmple --requires="libvte9 (>= 0.28.2)"), or multiple packages at once (for example --requires "libvte9, libc6")
Has anyone had better success with the command line arguments for multiple packages? Am I doing something wrong, or is this a bug.
Note: If I run the script, and choose the requires option (10), and paste my entire line with multiple packages and minimum versions (such as libvte9 (>= 0.28.2), libc6 (>= 2.13), it works fine, it just seems to be on the command line that it's having issues. Also this is with building a debian package, using the -D option.

After reading Aleks-Daniel Jakimenko-A.'s answer, Reallumpi's one and doing some tests on a real life case, here is what you should do:
use , (comma) without spaces to separate required packages ;
escape ( and ) parenthesis when specifying package's version ;
escape > (greater sign) when specifying package's version ;
Example
make && sudo -k checkinstall \
--pkgsource="https://github.com/raboof/nethogs/" \
--pkglicense="GPL2" \
--deldesc=no \
--nodoc \
--maintainer="$USER\\<$USER#$HOSTNAME\\>" \
--pkgarch=$(dpkg \
--print-architecture) \
--pkgversion="0.8.1" \
--pkgrelease="SNAPSHOT" \
--pkgname=nethogs \
--requires="libc6 \(\>= 2.4\),libgcc1 \(\>= 1:4.1.1\),libncurses5 \(\>= 5.5-5~\),libpcap0.8 \(\>= 0.9.8\),libstdc++6 \(\>= 4.1.1\),libtinfo5" \
make install
Output
*****************************************
**** Debian package creation selected ***
*****************************************
This package will be built according to these values:
0 - Maintainer: [ elopez<elopez#> ]
1 - Summary: [ Net top tool grouping bandwidth per process ]
2 - Name: [ nethogs ]
3 - Version: [ 0.8.1 ]
4 - Release: [ SNAPSHOT ]
5 - License: [ GPL2 ]
6 - Group: [ checkinstall ]
7 - Architecture: [ amd64 ]
8 - Source location: [ https://github.com/raboof/nethogs/ ]
9 - Alternate source location: [ ]
10 - Requires: [ libc6 (>= 2.4),libgcc1 (>= 1:4.1.1),libncurses5 (>= 5.5-5~),libpcap0.8 (>= 0.9.8),libstdc++6 (>= 4.1.1),libtinfo5 ]
11 - Provides: [ nethogs ]
12 - Conflicts: [ ]
13 - Replaces: [ ]

checkinstall uses , to separate multiple packages. That's it, a comma, without any spaces around it.

You need to escape brackets, e.g. --requires "package \(= 1.0\)"

This answer elaborates on how to properly format punctuation, within a shell script, to get multiple package dependencies for checkinstall to work.
PAK_USER='. , ? ! : + - ^ _ { } = $ % # [ ] / ; # & * ~ ( ) < > \ |'
PAK_NEEDS='. , ? ! : + - ^ _ { } = $ % # [ ] / ; # & * ~ ( ) < > \ |'
PAK_NEEDS=$(echo "$PAK_NEEDS" | perl -pe 's/([[:punct:]])/\\\1/g')
0 - Maintainer: [ . , ? ! : + - ^ _ { } = $ % # [ ] / ]
1 - Summary: [ This is a punctuation escape test. ]
10 - Requires: [ . , ? ! : + - ^ _ { } = $ % # [ ] / ; # & * ~ ( ) < > \ | ]
The ones that needs escaping appear to be shell operators ; # & * ~ ( ) < > \ | Some will return a value * ~ terminate the line ; # or wipe everything out ( ) < > | & while \ disappears since it's the escape character.
The regex perl -pe 's/([[:punct:]])/\\\1/g' escapes all the punctuation characters which is overkill but works quite well. Single and Double Quotes are already problematic, along with $, which will expand unless surrounded by single-quotes.
If you don't want to think about escaping, use the regex and caution with ' " $.
PAK_NEEDS="libasound2 (>= 1.0.16), libavcodec57 (>= 7:3.4.2) | libavcodec-extra57 (>= 7:3.4.2), libavformat57 (>= 7:3.4.2), libavutil55 (>= 7:3.4.2), libboost-filesystem1.65.1, libboost-system1.65.1, libc6 (>= 2.27), libcurl4 (>= 7.16.2), libexpat1 (>= 2.0.1), libgcc1 (>= 1:3.0), libgl1, libglu1-mesa | libglu1, libmad0 (>= 0.15.1b-3), libsdl2-2.0-0 (>= 2.0.8), libsdl2-image-2.0-0 (>= 2.0.2), libsdl2-net-2.0-0 (>= 2.0.1), libsdl2-ttf-2.0-0 (>= 2.0.14), libsndfile1 (>= 1.0.20), libspeex1 (>= 1.2~beta3-1), libspeexdsp1 (>= 1.2~beta3.2-1), libstdc++6 (>= 5.2), libswscale4 (>= 7:3.4.2), libvorbisfile3 (>= 1.1.2), libzzip-0-13 (>= 0.13.56), zlib1g (>= 1:1.1.4)"
PAK_NEEDS=$(echo "$PAK_NEEDS" | perl -pe 's/([[:punct:]])/\\\1/g')
10 - Requires: [ libasound2 (>= 1.0.16), libavcodec57 (>= 7:3.4.2) | libavcodec-extra57 (>= 7:3.4.2), libavformat57 (>= 7:3.4.2), libavutil55 (>= 7:3.4.2), libboost-filesystem1.65.1, libboost-system1.65.1, libc6 (>= 2.27), libcurl4 (>= 7.16.2), libexpat1 (>= 2.0.1), libgcc1 (>= 1:3.0), libgl1, libglu1-mesa | libglu1, libmad0 (>= 0.15.1b-3), libsdl2-2.0-0 (>= 2.0.8), libsdl2-image-2.0-0 (>= 2.0.2), libsdl2-net-2.0-0 (>= 2.0.1), libsdl2-ttf-2.0-0 (>= 2.0.14), libsndfile1 (>= 1.0.20), libspeex1 (>= 1.2~beta3-1), libspeexdsp1 (>= 1.2~beta3.2-1), libstdc++6 (>= 5.2), libswscale4 (>= 7:3.4.2), libvorbisfile3 (>= 1.1.2), libzzip-0-13 (>= 0.13.56), zlib1g (>= 1:1.1.4) ]

Failed to load ruby gem, using require method in IRB

i've created my own rubygem, but when i try in my local machine, there were something annoying, i've been around in google and another StackOverflow question but still not found the solution about this problem.
If i use non-root user in irb and type require 'my_own_gem' after type require 'rubygems' i've got :
LoadError: no such file to load -- my_own_gem
from /usr/lib/ruby/1.8/rubygems/custom_require.rb:36:in `gem_original_require'
from /usr/lib/ruby/1.8/rubygems/custom_require.rb:36:in `require'
from (irb):2
from (null):0
But when using root user, with sudo irb, the problem isn't seen and everything look OK.
gem list -d my_own_gem
my_own_gem (0.0.1)
Author: Jane Doe
Rubyforge: http://rubyforge.org/projects/my_own_gem
Homepage: google.com
Installed at: /var/lib/gems/1.8
lorem ipsum dolor sit amet
gem env
RubyGems Environment:
- RUBYGEMS VERSION: 1.3.7
- RUBY VERSION: 1.8.7 (2010-08-16 patchlevel 302) [x86_64-linux]
- INSTALLATION DIRECTORY: /var/lib/gems/1.8
- RUBY EXECUTABLE: /usr/bin/ruby1.8
- EXECUTABLE DIRECTORY: /var/lib/gems/1.8/bin
- RUBYGEMS PLATFORMS:
- ruby
- x86_64-linux
- GEM PATHS:
- /var/lib/gems/1.8
- GEM CONFIGURATION:
- :update_sources => true
- :verbose => true
- :benchmark => false
- :backtrace => false
- :bulk_threshold => 1000
- REMOTE SOURCES:
- http://rubygems.org/
.bashrc
export GEM_HOME=/var/lib/gems/1.8
export GEM_PATH=/var/lib/gems/1.8
my_own_gem.gemspec
# -*- encoding: utf-8 -*-
$:.push File.expand_path("../lib", __FILE__)
require "my_own_gem/version"
Gem::Specification.new do |s|
s.name = "my_own_gem"
s.version = MyOwnGem::VERSION
s.platform = Gem::Platform::RUBY
s.authors = ["Jane Doe"]
s.email = ["j4n3d0e#gmail.com"]
s.extra_rdoc_files = ["MIT-LICENSE","README.rdoc"]
s.rdoc_options = ["--charset=UTF-8"]
s.homepage = "google.com"
s.summary = %q{lorem ipsum}
s.description = %q{lorem ipsum dolor sit amet}
s.date = Time.now.utc.strftime("%A, %d% %B %Y")
s.rubyforge_project = "my_own_gem"
s.add_dependency "httparty", "= 0.7.8"
s.post_install_message = "my own gem"
s.files = `git ls-files`.split("\n")
s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
s.executables = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
s.require_paths = ["lib"]
end

Try add to your .bashrc file
export RUBYOPT="rubygems"
or try to install your gem to /usr/lib/ruby/gems/1.8/......