neotys-labs / docker Goto Github PK

Our vulnerability scanner is flagging CVE-2023-44794 in the neoload-controller and neload-loadgenerator container images.

From what I can see, it is flagging on the spring-core:5.3.27 package which is added to the image in the Dockerfile command:
COPY /neoload /home/neoload/neoload # buildkit

Can I ask if this has already been investigated? And if there is a remediation/mitigation available?

Many thanks,

EDIT: I believe a prerequisite for the vulnerability is the use of Dromara SaToken <=v1.36.0 - so it is possible this may be a false positive if that is not in use?

https://nvd.nist.gov/vuln/detail/CVE-2022-42889

Using latest/9.0.1 of both controller and lg images.

This appears to be fixed in Apache Commons Text v1.10

When we try to start up the docker image with the following configured parms we are seeing this error after the project is checked out of collaboration server (AzureDevops).

• Checking out project: Sample_Project
  _com.neotys.nl.l.a.n: Item '/DevOps/git/neoload-demo/Sample_Project/8_6/project' does not exist

• options being passed in (via docker-compose.yml):

  • COLLAB_URL=https://dev.azure.com/neload-demo
  • COLLAB_LOGIN=:
  • PROJECT_NAME=Sample_Project
  • SCENARIO=demo-scenario
  • LEASE_SERVER=NLWEB
  • NEOLOADWEB_TOKEN=
  • VU_MAX=50
  • DURATION_MAX=1
  • PUBLISH_RESULT=NTS

The problem seems to be with something is expecting project to be in the a path that is not provided.
Item '/DevOps/_git/neolaod-demo/Sample_Project/8_6/project' does not exist
in this path we are not providing the /8_6/project and we believe this may be why the checkout is failing every time.

Also the collaboration project WAS published from NeoLoad, so we are expecting the its setting up the project correctly.

We are also using the latest docker image as of 10/6/2022

The tag 7.11.1 (and latest also) of neotys/neoload-loadgenerator contains NeoLoad 7.11.0 and cannot be used with a 7.11.1 Neoload Controller installation.

docker run --rm --detach neotys/neoload-loadgenerator:7.11.1
Unable to find image 'neotys/neoload-loadgenerator:7.11.1' locally
7.11.1: Pulling from neotys/neoload-loadgenerator
540db60ca938: Pull complete
b950557f6e3b: Pull complete
e18d5a8beff4: Pull complete
9d5547ccdd43: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:0b723fe887e5906882c91e59b37afec5d25664fb2331122f01c894b413911330
Status: Downloaded newer image for neotys/neoload-loadgenerator:7.11.1
2793f0799b174a347c0085cb1d593317912ee43405648994c918d63865adf1bd

docker logs 2793
LoadGeneratorAgent running
2021/10/14 07:23:10 INFO - neoload.agent.Agent: Starting agent (7.11.0;build=20210903-38)...
2021/10/14 07:23:10 INFO - neoload.agent.Agent: OS Version:amd64 - Linux - 5.10.47-linuxkit
2021/10/14 07:23:10 INFO - neoload.agent.Agent: JVM Version:BellSoft - 11.0.8 - OpenJDK 64-Bit Server VM - Xmx= 477626368 bytes
2021/10/14 07:23:10 INFO - neoload.agent.Agent: Initialize preferences
2021/10/14 07:23:10 INFO - neoload.agent.Agent: Initialize cloud properties
2021/10/14 07:23:10 INFO - neoload.agent.Agent: WAN mode is none
2021/10/14 07:23:10 INFO - neoload.agent.Agent: WAN Emulation is disabled
2021/10/14 07:23:10 INFO - neoload.agent.Agent: Initialize multicast threads
2021/10/14 07:23:10 INFO - neoload.agent.Agent: Start transport API server on port: 7100
2021/10/14 07:23:12 INFO - neoload.agent.Agent: Agent started