Hello, I firstly want to thank you for your hard work on this solution. I've managed to deploy a working container on Amazon ECR and running via ECS and EC2!

However I am getting a lot of vulnerabilities whenever the docker image is scanned by AWS's vulnerability checker:

Critical: 0 High: 8 Medium: 27 Low: 20 Informational: 54 Undefined: 5

Total: 114

The Dockerfile being used is configured as such:

FROM dart:stable

# Resolve app dependencies.
WORKDIR /app
COPY pubspec.* ./
RUN dart pub get

# Copy app source code and update packages
COPY . .
RUN dart pub get --offline
RUN dart run build_runner build --delete-conflicting-outputs

# Start server.
EXPOSE 12021
CMD ["dart", "bin/server.dart"]

Would really appreciate some help on how to resolve this issue. Thanks so much in advance :)

These vulnerabilities are as follows:

Name | Package | Severity | Description -- | -- | -- | -- CVE-2022-22823 | expat:2.2.6-2+deb10u1 | HIGH | build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22824 | expat:2.2.6-2+deb10u1 | HIGH | defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22822 | expat:2.2.6-2+deb10u1 | HIGH | addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-23852 | expat:2.2.6-2+deb10u1 | HIGH | Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. CVE-2022-23219 | glibc:2.28-10 | HIGH | The deprecated compatibility function clnt_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its hostname argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. CVE-2019-25013 | glibc:2.28-10 | HIGH | The iconv feature in the GNU C Library (aka glibc or libc6) through 2.32, when processing invalid multi-byte input sequences in the EUC-KR encoding, may have a buffer over-read. CVE-2022-23218 | glibc:2.28-10 | HIGH | The deprecated compatibility function svcunix_create in the sunrpc module of the GNU C Library (aka glibc) through 2.34 copies its path argument on the stack without validating its length, which may result in a buffer overflow, potentially resulting in a denial of service or (if an application is not built with a stack protector enabled) arbitrary code execution. CVE-2021-33574 | glibc:2.28-10 | HIGH | The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact. CVE-2021-22947 | curl:7.64.0-4+deb10u2 | MEDIUM | When curl >= 7.20.0 and <= 7.78.0 connects to an IMAP or POP3 server to retrieve data using STARTTLS to upgrade to TLS security, the server can respond and send back multiple responses at once that curl caches. curl would then upgrade to TLS but not flush the in-queue of cached responses but instead continue using and trustingthe responses it got before the TLS handshake as if they were authenticated.Using this flaw, it allows a Man-In-The-Middle attacker to first inject the fake responses, then pass-through the TLS traffic from the legitimate server and trick curl into sending data back to the user thinking the attacker's injected data comes from the TLS-protected server. CVE-2021-22946 | curl:7.64.0-4+deb10u2 | MEDIUM | A user can tell curl >= 7.20.0 and <= 7.78.0 to require a successful upgrade to TLS when speaking to an IMAP, POP3 or FTP server (--ssl-reqd on the command line orCURLOPT_USE_SSL set to CURLUSESSL_CONTROL or CURLUSESSL_ALL withlibcurl). This requirement could be bypassed if the server would return a properly crafted but perfectly legitimate response.This flaw would then make curl silently continue its operations withoutTLS contrary to the instructions and expectations, exposing possibly sensitive data in clear text over the network. CVE-2021-22924 | curl:7.64.0-4+deb10u2 | MEDIUM | libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths case insensitively,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate. CVE-2022-22827 | expat:2.2.6-2+deb10u1 | MEDIUM | storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2021-45960 | expat:2.2.6-2+deb10u1 | MEDIUM | In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory). CVE-2022-22826 | expat:2.2.6-2+deb10u1 | MEDIUM | nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2022-22825 | expat:2.2.6-2+deb10u1 | MEDIUM | lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. CVE-2021-46143 | expat:2.2.6-2+deb10u1 | MEDIUM | In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. CVE-2018-12886 | gcc-8:8.3.0-6 | MEDIUM | stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c in GNU Compiler Collection (GCC) 4.1 through 8 (under certain circumstances) generate instruction sequences when targeting ARM targets that spill the address of the stack protector guard, which allows an attacker to bypass the protection of -fstack-protector, -fstack-protector-all, -fstack-protector-strong, and -fstack-protector-explicit against stack overflow by controlling what the stack canary is compared against. CVE-2021-40330 | git:1:2.20.1-2+deb10u3 | MEDIUM | git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring. CVE-2021-21300 | git:1:2.20.1-2+deb10u3 | MEDIUM | Git is an open-source distributed revision control system. In affected versions of Git a specially crafted repository that contains symbolic links as well as files using a clean/smudge filter such as Git LFS, may cause just-checked out script to be executed while cloning onto a case-insensitive file system such as NTFS, HFS+ or APFS (i.e. the default file systems on Windows and macOS). Note that clean/smudge filters have to be configured for that. Git for Windows configures Git LFS by default, and is therefore vulnerable. The problem has been patched in the versions published on Tuesday, March 9th, 2021. As a workaound, if symbolic link support is disabled in Git (e.g. via git config --global core.symlinks false), the described attack won't work. Likewise, if no clean/smudge filters such as Git LFS are configured globally (i.e. before cloning), the attack is foiled. As always, it is best to avoid cloning repositories from untrusted sources. The earliest impacted version is 2.14.2. The fix versions are: 2.30.1, 2.29.3, 2.28.1, 2.27.1, 2.26.3, 2.25.5, 2.24.4, 2.23.4, 2.22.5, 2.21.4, 2.20.5, 2.19.6, 2.18.5, 2.17.62.17.6. CVE-2021-35942 | glibc:2.28-10 | MEDIUM | The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations. CVE-2020-1751 | glibc:2.28-10 | MEDIUM | An out-of-bounds write vulnerability was found in glibc before 2.31 when handling signal trampolines on PowerPC. Specifically, the backtrace function did not properly check the array bounds when storing the frame address, resulting in a denial of service or potential code execution. The highest threat from this vulnerability is to system availability. CVE-2021-3326 | glibc:2.28-10 | MEDIUM | The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid input sequences in the ISO-2022-JP-3 encoding, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service. CVE-2021-43618 | gmp:2:6.1.2+dfsg-4 | MEDIUM | GNU Multiple Precision Arithmetic Library (GMP) through 6.2.1 has an mpz/inp_raw.c integer overflow and resultant buffer overflow via crafted input, leading to a segmentation fault on 32-bit platforms. CVE-2021-33560 | libgcrypt20:1.8.4-5+deb10u1 | MEDIUM | Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP. CVE-2019-12290 | libidn2:2.0.5-1+deb10u1 | MEDIUM | GNU libidn2 before 2.2.0 fails to perform the roundtrip checks specified in RFC3490 Section 4.2 when converting A-labels to U-labels. This makes it possible in some circumstances for one domain to impersonate another. By creating a malicious domain that matches a target domain except for the inclusion of certain punycoded Unicode characters (that would be discarded when converted first to a Unicode label and then back to an ASCII label), arbitrary domains can be impersonated. CVE-2019-13115 | libssh2:1.8.0-2.1 | MEDIUM | In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. This is related to an _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as CVE-2019-3855. CVE-2017-16932 | libxml2:2.9.4+dfsg1-7+deb10u2 | MEDIUM | parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities. CVE-2016-9318 | libxml2:2.9.4+dfsg1-7+deb10u2 | MEDIUM | libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document. CVE-2020-11080 | nghttp2:1.36.0-2+deb10u1 | MEDIUM | In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service. The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of 14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at 100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection. CVE-2021-41617 | openssh:1:7.9p1-10+deb10u2 | MEDIUM | sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user. CVE-2019-20454 | pcre2:10.32-5 | MEDIUM | An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in do_extuni_no_utf in pcre2_jit_compile.c. CVE-2020-14155 | pcre3:2:8.39-12 | MEDIUM | libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring. CVE-2020-16156 | perl:5.28.1-6+deb10u1 | MEDIUM | CPAN 2.28 allows Signature Verification Bypass. CVE-2019-3844 | systemd:241-7~deb10u8 | MEDIUM | It was discovered that a systemd service that uses DynamicUser property can get new privileges through the execution of SUID binaries, which would allow to create binaries owned by the service transient group with the setgid bit set. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the GID will be recycled. CVE-2019-3843 | systemd:241-7~deb10u8 | MEDIUM | It was discovered that a systemd service that uses DynamicUser property can create a SUID/SGID binary that would be allowed to run as the transient service UID/GID even after the service is terminated. A local attacker may use this flaw to access resources that will be owned by a potentially different service in the future, when the UID/GID will be recycled. CVE-2016-2781 | coreutils:8.30-3 | LOW | chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer. CVE-2021-22898 | curl:7.64.0-4+deb10u2 | LOW | curl 7.7 through 7.76.1 suffers from an information disclosure when the -t command line option, known as CURLOPT_TELNETOPTIONS in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol. CVE-2019-15847 | gcc-8:8.3.0-6 | LOW | The POWER9 backend in GNU Compiler Collection (GCC) before version 10 could optimize multiple calls of the __builtin_darn intrinsic into a single call, thus reducing the entropy of the random number generator. This occurred because a volatile operation was not specified. For example, within a single execution of a program, the output of every __builtin_darn() call may be the same. CVE-2020-6096 | glibc:2.28-10 | LOW | An exploitable signed comparison vulnerability exists in the ARMv7 memcpy() implementation of GNU glibc 2.30.9000. Calling memcpy() (on ARMv7 targets that utilize the GNU glibc implementation) with a negative value for the 'num' parameter results in a signed comparison vulnerability. If an attacker underflows the 'num' parameter to memcpy(), this vulnerability could lead to undefined behavior such as writing to out-of-bounds memory and potentially remote code execution. Furthermore, this memcpy() implementation allows for program execution to continue in scenarios where a segmentation fault or crash should have occurred. The dangers occur in that subsequent execution and iterations of this code will be executed with this corrupted data. CVE-2021-27645 | glibc:2.28-10 | LOW | The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. CVE-2019-19126 | glibc:2.28-10 | LOW | On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. CVE-2020-27618 | glibc:2.28-10 | LOW | The iconv function in the GNU C Library (aka glibc or libc6) 2.32 and earlier, when processing invalid multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, and IBM1399 encodings, fails to advance the input state, which could lead to an infinite loop in applications, resulting in a denial of service, a different vulnerability from CVE-2016-10228. CVE-2020-10029 | glibc:2.28-10 | LOW | The GNU C Library (aka glibc or libc6) before 2.32 could overflow an on-stack buffer during range reduction if an input to an 80-bit long double function contains a non-canonical bit pattern, a seen when passing a 0x5d414141414141410000 value to sinl on x86 targets. This is related to sysdeps/ieee754/ldbl-96/e_rem_pio2l.c. CVE-2020-1752 | glibc:2.28-10 | LOW | A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username were affected by this issue. A local attacker could exploit this flaw by creating a specially crafted path that, when processed by the glob function, would potentially lead to arbitrary code execution. This was fixed in version 2.32. CVE-2016-10228 | glibc:2.28-10 | LOW | The iconv program in the GNU C Library (aka glibc or libc6) 2.31 and earlier, when invoked with multiple suffixes in the destination encoding (TRANSLATE or IGNORE) along with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service. CVE-2019-14855 | gnupg2:2.2.12-1+deb10u1 | LOW | A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18. CVE-2019-13627 | libgcrypt20:1.8.4-5+deb10u1 | LOW | It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7. CVE-2021-36086 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list). CVE-2021-36087 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block. CVE-2021-36084 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper). CVE-2021-36085 | libsepol:2.8-1 | LOW | The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map). CVE-2019-17498 | libssh2:1.8.0-2.1 | LOW | In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. CVE-2019-17543 | lz4:1.8.3-1+deb10u1 | LOW | LZ4 before 1.9.2 has a heap-based buffer overflow in LZ4_write32 (related to LZ4_compress_destSize), affecting applications that call LZ4_compress_fast with a large input. (This issue can also lead to data corruption.) NOTE: the vendor states "only a few specific / uncommon usages of the API are at risk." CVE-2018-7169 | shadow:1:4.5-1.1 | LOW | An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation. CVE-2021-37600 | util-linux:2.33.1-0.1 | LOW | ** DISPUTED ** An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments. CVE-2011-3374 | apt:1.8.2.3 | INFORMATIONAL | It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack. CVE-2019-18276 | bash:5.0-4 | INFORMATIONAL | An issue was discovered in disable_priv_mode in shell.c in GNU Bash through 5.0 patch 11. By default, if Bash is run with its effective UID not equal to its real UID, it will drop privileges by setting its effective UID to its real UID. However, it does so incorrectly. On Linux and other systems that support "saved UID" functionality, the saved UID is not dropped. An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges. However, binaries running with an effective UID of 0 are unaffected. CVE-2017-18018 | coreutils:8.30-3 | INFORMATIONAL | In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition. CVE-2021-22922 | curl:7.64.0-4+deb10u2 | INFORMATIONAL | When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. CVE-2021-22923 | curl:7.64.0-4+deb10u2 | INFORMATIONAL | When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened. CVE-2013-0340 | expat:2.2.6-2+deb10u1 | INFORMATIONAL | expat 2.1.0 and earlier does not properly handle entities expansion unless an application developer uses the XML_SetEntityDeclHandler function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue. NOTE: it could be argued that because expat already provides the ability to disable external entity expansion, the responsibility for resolving this issue lies with application developers; according to this argument, this entry should be REJECTed, and each affected application would need its own CVE. CVE-2018-1000021 | git:1:2.20.1-2+deb10u3 | INFORMATIONAL | GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack). CVE-2019-1010025 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability." CVE-2019-1010023 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat." CVE-2019-1010024 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat." CVE-2010-4756 | glibc:2.28-10 | INFORMATIONAL | The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. CVE-2019-9192 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern. CVE-2019-1010022 | glibc:2.28-10 | INFORMATIONAL | ** DISPUTED ** GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat." CVE-2018-20796 | glibc:2.28-10 | INFORMATIONAL | In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep. CVE-2011-3389 | gnutls28:3.6.7-4+deb10u7 | INFORMATIONAL | The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack. CVE-2004-0971 | krb5:1.17-3+deb10u3 | INFORMATIONAL | The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. CVE-2018-5709 | krb5:1.17-3+deb10u3 | INFORMATIONAL | An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data. CVE-2018-6829 | libgcrypt20:1.8.4-5+deb10u1 | INFORMATIONAL | cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation. CVE-2019-9893 | libseccomp:2.3.3-4 | INFORMATIONAL | libseccomp before 2.4.0 did not correctly generate 64-bit syscall argument comparisons using the arithmetic operators (LT, GT, LE, GE), which might able to lead to bypassing seccomp filters and potential privilege escalations. CVE-2018-1000654 | libtasn1-6:4.13-3 | INFORMATIONAL | GNU Libtasn1-4.13 libtasn1-4.13 version libtasn1-4.13, libtasn1-4.12 contains a DoS, specifically CPU usage will reach 100% when running asn1Paser against the POC due to an issue in _asn1_expand_object_id(p_tree), after a long time, the program will be killed. This attack appears to be exploitable via parsing a crafted file. CVE-2021-39537 | ncurses:6.1+20181013-2+deb10u2 | INFORMATIONAL | An issue was discovered in ncurses through v6.2-1. _nc_captoinfo in captoinfo.c has a heap-based buffer overflow. CVE-2020-15719 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | libldap in certain third-party OpenLDAP packages has a certificate-validation flaw when the third-party package is asserting RFC6125 support. It considers CN even when there is a non-matching subjectAltName (SAN). This is fixed in, for example, openldap-2.4.46-10.el8 in Red Hat Enterprise Linux. CVE-2017-14159 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | slapd in OpenLDAP 2.4.45 and earlier creates a PID file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for PID file modification before a root script executes a "kill cat /pathname" command, as demonstrated by openldap-initscript. CVE-2015-3276 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. CVE-2017-17740 | openldap:2.4.47+dfsg-3+deb10u6 | INFORMATIONAL | contrib/slapd-modules/nops/nops.c in OpenLDAP through 2.4.45, when both the nops module and the memberof overlay are enabled, attempts to free a buffer that was allocated on the stack, which allows remote attackers to cause a denial of service (slapd crash) via a member MODDN operation. CVE-2016-20012 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session. CVE-2007-2243 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH 4.6 and earlier, when ChallengeResponseAuthentication is enabled, allows remote attackers to determine the existence of user accounts by attempting to authenticate via S/KEY, which displays a different response if the user account exists, a similar issue to CVE-2001-1483. CVE-2020-14145 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected. CVE-2020-12062 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | ** DISPUTED ** The scp client in OpenSSH 8.2 incorrectly sends duplicate responses to the server upon a utimes system call failure, which allows a malicious unprivileged user on the remote server to overwrite arbitrary files in the client's download directory by creating a crafted subdirectory anywhere on the remote server. The victim must use the command scp -rp to download a file hierarchy containing, anywhere inside, this crafted subdirectory. NOTE: the vendor points out that "this attack can achieve no more than a hostile peer is already able to achieve within the scp protocol" and "utimes does not fail under normal circumstances." CVE-2018-15919 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username enumeration (or "oracle") as a vulnerability.' CVE-2008-3234 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | sshd in OpenSSH 4 on Debian GNU/Linux, and the 20070303 OpenSSH snapshot, allows remote authenticated users to obtain access to arbitrary SELinux roles by appending a :/ (colon slash) sequence, followed by the role name, to the username. CVE-2020-15778 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | ** DISPUTED ** scp in OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows." CVE-2019-16905 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing algorithm. NOTE: the XMSS implementation is considered experimental in all released OpenSSH versions, and there is no supported way to enable it when building portable OpenSSH. CVE-2007-2768 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | OpenSSH, when using OPIE (One-Time Passwords in Everything) for PAM, allows remote attackers to determine the existence of certain user accounts, which displays a different response if the user account exists and is configured to use one-time passwords (OTP), a similar issue to CVE-2007-2243. CVE-2019-6110 | openssh:1:7.9p1-10+deb10u2 | INFORMATIONAL | In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred. CVE-2007-6755 | openssl:1.1.1d-0+deb10u7 | INFORMATIONAL | The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to certain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values. NOTE: this is a preliminary CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE. CVE-2010-0928 | openssl:1.1.1d-0+deb10u7 | INFORMATIONAL | OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack." CVE-2019-20838 | pcre3:2:8.39-12 | INFORMATIONAL | libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \X or \R has more than one fixed quantifier, a related issue to CVE-2019-20454. CVE-2017-16231 | pcre3:2:8.39-12 | INFORMATIONAL | ** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of stack that is used. CVE-2017-11164 | pcre3:2:8.39-12 | INFORMATIONAL | In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression. CVE-2017-7246 | pcre3:2:8.39-12 | INFORMATIONAL | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 268) or possibly have unspecified other impact via a crafted file. CVE-2017-7245 | pcre3:2:8.39-12 | INFORMATIONAL | Stack-based buffer overflow in the pcre32_copy_substring function in pcre_get.c in libpcre1 in PCRE 8.40 allows remote attackers to cause a denial of service (WRITE of size 4) or possibly have unspecified other impact via a crafted file. CVE-2011-4116 | perl:5.28.1-6+deb10u1 | INFORMATIONAL | _is_safe in the File::Temp module for Perl does not properly handle symlinks. CVE-2019-19882 | shadow:1:4.5-1.1 | INFORMATIONAL | shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8). CVE-2007-5686 | shadow:1:4.5-1.1 | INFORMATIONAL | initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Opening to track a codereview comment by @jonasfj:

We probably should copy in both pubspec.yaml and pubspec.lock.

Assuming the idea is to make a layer that can be cached and reuse when rebuilding the image.

@athomas pointed out that the old image did: ONBUILD ADD pubspec.* /app/

How to perform healthcheck shelf service without curl in docker swarm stack?

Should i use curlimages/curl instead scratch? Or maybe run dart runtime with flag and check working instance with http request?

At present git isn't part of the base image or included in the Dockerfile template, so when a Dockerfile using FROM dart tries to run dart pub get the result is a sequence of:

Git command is not "git": Pub failed to run subprocess `git`: ProcessException: No such file or directory
  Command: git --version
Git command is not "git.cmd": Pub failed to run subprocess `git.cmd`: ProcessException: No such file or directory
  Command: git.cmd --version

This can be fixed by adding git to the apt-get section of the Dockerfile e.g.

RUN set -eux; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
        ca-certificates \
        curl \
        openssh-client \
        unzip \
        dnsutils \
        git \
    ; \

The overall package diff (comparing apt list --installed between the existing dart image and one with git added) ends up being:

22a23,24
> git-man/now 1:2.20.1-2+deb10u3 all [installed,local]
> git/now 1:2.20.1-2+deb10u3 amd64 [installed,local]
41a44
> libcurl3-gnutls/now 7.64.0-4+deb10u2 amd64 [installed,local]
46a50,51
> liberror-perl/now 0.17027-2 all [installed,local]
> libexpat1/now 2.2.6-2+deb10u1 amd64 [installed,local]
52a58,59
> libgdbm-compat4/now 1.18.1-4 amd64 [installed,local]
> libgdbm6/now 1.18.1-4 amd64 [installed,local]
84a92
> libpcre2-8-0/now 10.32-5 amd64 [installed,local]
85a94
> libperl5.28/now 5.28.1-6+deb10u1 amd64 [installed,local]
117a127,128
> perl-modules-5.28/now 5.28.1-6+deb10u1 all [installed,local]
> perl/now 5.28.1-6+deb10u1 amd64 [installed,local]

resulting in an extra 76MB used by the raw image, which becomes 34MB when compressed on Docker Hub (for x64 arch).

Obviously people can workaround this by putting apt-get install -y git into their own Dockerfiles using FROM dart, and even create their own build images with git added. But as dart pub get is such a common thing to run, the various trade offs of image size, build times etc. would favour having a key ecosystem dependency like git in place.

Currently the runtime image assumes that you compile your server app to a Dart exe.

Should we consider copying in https://dart.dev/tools/dartaotruntime to the image, and then serve the app from even smaller AOT snapshots rather than a full exe?

First cut at an official repo with input from @tianon.

This initial version:

• Contains a template (./Dockerfile.template)
  • bases on debian:buster-slim
  • that pulls releases from GCS
  • tests checksums
• directories for the stable and beta channels
• subdirectories under the channel directories for distributions (currently only buster)

I've tested it with the examples under the examples directory. It works great with the Dart Functions Framework and eliminates the need for a dedicated runtime image as initially planned.

With the official images, we should start telling people to migrate from the old images so that we can eventually sunset our use of google/dart and archive the dart-lang/docker_dart (especially because it's easily confused with dart-lang/dart-docker)

Checklist:

• [x] Update readme: https://github.com/dart-lang/dart-docker/pulls
• [x] Update readme on https://registry.hub.docker.com/r/google/dart/
• [x] Update release scripts to no longer publish to this registry when releasing: cl/420720564
• [x] Anything else on https://registry.hub.docker.com/r/google/dart/ to mark discontinued?
• [x] Mark https://github.com/dart-lang/dart_docker as Archived
• [x] Move https://github.com/dart-lang/dart_docker to https://github.com/dart-archive
• [x] Shutdown infra that is used to publish the docker old images.

In response to the ask from @athomas in #11 here's a PR with the Dockerfile I've been using to create multi platform builds including arm64 and armv7.

It's been 5 days now since 2.17.1 was released, but the :latest build is still at 2.17.0

versions.json here was updated with the 2.17.1 hashes in #94 but somehow that hasn't triggered the (hopefully automated) process to get new images built.

This may be out of the scope of this project and if so, my apologies, but I'm trying to setup Dart with Docker in such a way that I can use the Dart VM instead of an AoT executable. I want to do this to support local development as if I was running dart run.

I'm so very close to having it working but Im not sure what I need to change to get it to successfully run!

My issue seems to be stemming from errors that look like this:

lib/controllers/account_controller.dart:7:8: Error: Error when reading '/Users/bradcypert/.pub-cache/hosted/pub.dartlang.org/steward-0.1.0/lib/steward.dart': No such file or directory

lib/models/license.dart:1:8: Error: Error when reading '/Users/bradcypert/.pub-cache/hosted/pub.dartlang.org/stormberry-0.4.0/lib/stormberry.dart': No such file or directory

lib/models/account.dart:3:8: Error: Error when reading '/Users/bradcypert/.pub-cache/hosted/pub.dartlang.org/uuid-3.0.5/lib/uuid.dart': No such file or directory

Namely, any and all of my dependencies are not being found when running inside of the container. It looks like you can set the pub cache directory via an environment variable, and I had some success setting that to my local directory, but then running the application outside of docker becomes a pain. I have those dependencies installed locally and I can run my app by running dart run lib/app.dart as long as I'm not running the app through docker (but this isnt ideal).

I've tried running the AoT version shared in this project but a library that im using uses Dart Mirrors, too.

Any tips?

Thanks and files are attached for context.

Here's my dockerfile:

FROM dart:2.16
WORKDIR /app
COPY . /app
RUN dart pub get
CMD /bin/bash -c "dart run lib/app.dart"

and my compose:

version: "3.9"
services:
  server:
    build: .
    ports:
      - "4040:4040"
    volumes:
      - .:/app

I tried to follow docker installation. unfortunately, the given docker content and/or the command to create fails. the following output should be showing the problem because it is all that is shown.

C:\Workspace\dart>docker build -t dart-server .

[+] Building 4.5s (9/14)
 => [internal] load build definition from Dockerfile                                                                                                                                                        0.0s 
 => => transferring dockerfile: 735B                                                                                                                                                                        0.0s 
 => [internal] load .dockerignore                                                                                                                                                                           0.0s 
 => => transferring context: 34B                                                                                                                                                                            0.0s 
 => [internal] load metadata for docker.io/library/dart:stable                                                                                                                                              3.1s 
 => [auth] library/dart:pull token for registry-1.docker.io                                                                                                                                                 0.0s 
 => [build 1/7] FROM docker.io/library/dart:stable@sha256:76d0bf1a79e33bd6e104275aba3d8a1e8479705323ec0e8b00ced40616024c7b                                                                                  0.0s 
 => [internal] load build context                                                                                                                                                                           0.0s 
 => => transferring context: 2B                                                                                                                                                                             0.0s 
 => CACHED [build 2/7] WORKDIR /app                                                                                                                                                                         0.0s 
 => CACHED [build 3/7] COPY pubspec.* ./                                                                                                                                                                    0.0s
 => ERROR [build 4/7] RUN dart pub get                                                                                                                                                                      1.1s
------
 > [build 4/7] RUN dart pub get:
#9 0.892 Could not find a file named "pubspec.yaml" in "/app".
------
executor failed running [/bin/sh -c dart pub get]: exit code: 66

I have a long-running server that has code that runs slow when compiled AOT, and I want to optimize startup time and reduce the image size. I've tried doing the following:

FROM dart:2.17 AS build

WORKDIR /app
COPY pubspec.yaml .
RUN dart pub get

COPY . .
RUN dart pub get --offline
RUN dart compile jit-snapshot bin/server.dart

FROM scratch
COPY --from=build /runtime/ /
COPY --from=build /app/bin/server.jit app/bin/
EXPOSE 4002
ENTRYPOINT ["dart", "/app/bin/server.jit"]

However, I get an error when I try to run the container, because dart is not found. Is there any way this could work, similar to AOT?

Using something like this

FROM dart:2.17

WORKDIR /app

COPY bin/server.jit /app/bin/
ENTRYPOINT ["dart", "bin/server.jit"]

results in a 266.8MB image(!)

Hi there, I really love all the work by the dart team, Dart really has become one of my favorite languages (also outside of Flutter).

I am wondering why there are only buster-slim images in this repo - I require newer versions of many packages. Personally, I just copied the entire Dockerfile into my repo and changed buster -> sid, but it would be awesome to have them directly in here.

FROM dart:stabel-sid or something like that :)

It would be great if the "$HOME/.pub-cache/bin" path would be part of the image's PATH variable:

One case this is interesting is for a CI step which installs an executable dart package via dart pub global activate.

If the mentioned path would be in PATH those executables could be run using their name directly and omitting recompilation on multiple calls.

GoogleContainerTools/distroless

"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.

The main benefit would seem to be image signing with cosign, though BusyBox might come in handy at times.