Fail trivy on critical, high issues

(cherry picked from commit 4495180f7b2666959ceee07558c8825a002b05f3)

.github/workflows/ci.yml

@@ -11,14 +11,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the codebase.
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Install hadolint.
         run: |
           sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
           sudo chmod 755 /usr/local/bin/hadolint
         env:
-          HADOLINT_VERSION: 2.8.0
+          HADOLINT_VERSION: 2.12.0
 
       - name: Run hadolint.
         run: |
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the codebase.
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Find an open port.
         run: |
@@ -63,12 +63,15 @@ jobs:
         with:
           image-ref: ${{ github.repository }}:${{ github.run_id }}
           exit-code: '1'
+          skip-files: '/etc/ssl/certs/vsftpd.pem'
+          severity: 'CRITICAL,HIGH'
 
       - name: Run Trivy vulnerability scanner.
         uses: aquasecurity/trivy-action@master
         with:
           image-ref: ${{ github.repository }}:nossl
           exit-code: '1'
+          severity: 'CRITICAL,HIGH'
 
   deploy:
     if: startsWith(github.ref, 'refs/tags/v')
@@ -84,7 +87,7 @@ jobs:
           echo ::set-output name=VERSION::${TAG%-*}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
 
       - name: Login to Quay
         uses: docker/login-action@v1
@@ -94,7 +97,7 @@ jobs:
           password: ${{ secrets.QUAY_PASSWORD }}
 
       - name: Push to Quay
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           file: ./Dockerfile
           pull: true
@@ -108,7 +111,7 @@ jobs:
           VERSION: ${{ steps.get_version.outputs.VERSION }}
 
       - name: Push nossl to Quay
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           file: ./Dockerfile_nossl
           pull: true

.github/workflows/docker-publish-image.yml

@@ -1,86 +0,0 @@
-name: Docker hub auto publish image
-
-on:
-  push:
-    branches:
-      - master
-    paths:
-      # Run when file is edited
-      - Dockerfile
-      - start_vsftpd.sh
-      - vsftpd.conf
-
-  # Run tests for any PRs.
-  pull_request:
-
-env:
-  # Image name at docker hub
-  IMAGE_NAME: delfer/alpine-ftp-server
-
-jobs:
-  # Run tests.
-  # See also https://docs.docker.com/docker-hub/builds/automated-testing/
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout 
-        uses: actions/checkout@v2
-
-      - name: Run tests
-        run: |
-          if [ -f docker-compose.test.yml ]; then
-            docker-compose --file docker-compose.test.yml build
-            docker-compose --file docker-compose.test.yml run sut
-          else
-            docker build . --file Dockerfile
-          fi
-
-  push:
-    # Ensure test job passes before pushing image.
-    needs: test
-
-    runs-on: ubuntu-latest
-    if: github.event_name == 'push'
-
-    steps:
-      - name: Checkout 
-        uses: actions/checkout@v2
-        
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-       
-      - name: Login to Docker Hub
-        uses: docker/login-action@v1
-        with:
-          # Genrate secret from here https://hub.docker.com/settings/security
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
-
-      - name: Add Label Schema to Dockerfile
-        run: |
-          # Label Schema based on http://label-schema.org/rc1/
-          TIME_ISO=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-          echo "LABEL org.label-schema.build-date=$TIME_ISO" >> Dockerfile
-          echo "LABEL org.label-schema.name=vsftpd" >> Dockerfile
-          echo "LABEL org.label-schema.url=https://security.appspot.com/vsftpd.html" >> Dockerfile
-          echo "LABEL org.label-schema.vcs-url=https://github.com/delfer/docker-alpine-ftp-server" >> Dockerfile
-          GIT_HASH=$(git rev-parse --short "$GITHUB_SHA")
-          echo "LABEL org.label-schema.vcs-ref=$GIT_HASH" >> Dockerfile
-          echo "LABEL org.label-schema.schema-version=1.0.0-rc.1" >> Dockerfile
-          echo "LABEL org.label-schema.docker.cmd=\"docker run -d -p 21:21 -e USERS=\"username|password\" delfer/alpine-ftp-server\"" >> Dockerfile
-          # Show edited Dockerfile content
-          cat Dockerfile
-                    
-      - name: Build and push latest
-        uses: docker/build-push-action@v2
-        with:
-          context: .
-          file: ./Dockerfile
-          platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
-          push: true
-          tags: |
-            ${{ env.IMAGE_NAME }}:latest

Dockerfile

@@ -1,11 +1,8 @@
-FROM alpine:3.15.1
+FROM alpine:3.18.4
 
 LABEL maintainer="Amin Vakil <info@aminvakil.com>"
 
-RUN apk --no-cache add vsftpd=3.0.5-r1
+RUN apk --no-cache add vsftpd=3.0.5-r2
-
-# hadolint ignore=DL3059,DL3018
-RUN apk add --no-cache --upgrade libretls
 
 COPY vsftpd.pem /etc/ssl/certs/vsftpd.pem
 COPY start_vsftpd.sh /usr/local/bin/start_vsftpd.sh

Dockerfile_nossl

@@ -1,11 +1,8 @@
-FROM alpine:3.15.1
+FROM alpine:3.18.4
 
 LABEL maintainer="Amin Vakil <info@aminvakil.com>"
 
-RUN apk --no-cache add vsftpd=3.0.5-r1
+RUN apk --no-cache add vsftpd=3.0.5-r2
-
-# hadolint ignore=DL3059,DL3018
-RUN apk add --no-cache --upgrade libretls
 
 COPY start_vsftpd.sh /usr/local/bin/start_vsftpd.sh
 COPY vsftpd.conf_nossl /etc/vsftpd/vsftpd.conf

README.md

@@ -1,6 +1,16 @@
 # docker-alpine-ftp-server-tls
 Small and flexible docker image with vsftpd server with tls
 
+# Important Note
+I think upstream has made it more complicated than it needs to be since this commit and I'm not merging its commits anymore, although I cherry-pick some of them when I see fit.
+
+https://github.com/delfer/docker-alpine-ftp-server/commit/fbf9afd9368d63a225e093bae227fa878de46b2c
+
+Also for future reference this is the PR of this commit: https://github.com/delfer/docker-alpine-ftp-server/pull/36
+
+FOr further discussion about this you can use [this issue](https://github.com/aminvakil/docker-alpine-ftp-server-tls/issues/14).
+
+
 ## Usage
 ```
 docker run -d \
@@ -14,9 +24,9 @@ docker run -d \
 ## Configuration
 
 Environment variables:
-- `USERS` - space and `|` separated list (optional, default: `ftp|alpineftp`)
+- `USERS` - space and `|` separated list (optional, default: `alpineftp|alpineftp`)
   - format `name1|password1|[folder1][|uid1] name2|password2|[folder2][|uid2]`
-- `ADDRESS` - external address witch clients can connect passive ports (optional, should resolve to ftp server ip address)
+- `ADDRESS` - external address to which clients can connect for passive ports (optional, should resolve to ftp server ip address)
 - `MIN_PORT` - minimum port number to be used for passive connections (optional, default `21000`)
 - `MAX_PORT` - maximum port number to be used for passive connections (optional, default `21010`)
 

start_vsftpd.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #Remove all ftp users
-#grep '/ftp/' /etc/passwd | cut -d':' -f1 | xargs -n1 deluser
+grep '/ftp/' /etc/passwd | cut -d':' -f1 | xargs -r -n1 deluser
 
 #Create users
 #USERS='name1|password1|[folder1][|uid1] name2|password2|[folder2][|uid2]'
@@ -14,14 +14,15 @@
 #Default user 'ftp' with password 'alpineftp'
 
 if [ -z "$USERS" ]; then
-  USERS="amin|alpineftp"
+  USERS="alpineftp|alpineftp"
 fi
 
 for i in $USERS ; do
-    NAME=$(echo $i | cut -d'|' -f1)
+  NAME=$(echo $i | cut -d'|' -f1)
-    PASS=$(echo $i | cut -d'|' -f2)
+  GROUP=$NAME
+  PASS=$(echo $i | cut -d'|' -f2)
   FOLDER=$(echo $i | cut -d'|' -f3)
-     UID=$(echo $i | cut -d'|' -f4)
+  UID=$(echo $i | cut -d'|' -f4)
 
   if [ -z "$FOLDER" ]; then
     FOLDER="/ftp/$NAME"
@@ -29,11 +30,16 @@ for i in $USERS ; do
 
   if [ ! -z "$UID" ]; then
     UID_OPT="-u $UID"
+    #Check if the group with the same ID already exists
+    GROUP=$(getent group $UID | cut -d: -f1)
+    if [ ! -z "$GROUP" ]; then
+      GROUP_OPT="-G $GROUP"
+    fi
   fi
 
-  echo -e "$PASS\n$PASS" | adduser -h $FOLDER -s /sbin/nologin $UID_OPT $NAME
+  echo -e "$PASS\n$PASS" | adduser -h $FOLDER -s /sbin/nologin $UID_OPT $GROUP_OPT $NAME
   mkdir -p $FOLDER
-  chown $NAME:$NAME $FOLDER
+  chown $NAME:$GROUP $FOLDER
   unset NAME PASS FOLDER UID
 done