--- hide: - toc --- # Security Overview ## Helm-Chart ##### Scan Results #### Chart Object: syncthing/templates/common.yaml | Type | Misconfiguration ID | Check | Severity | Explaination | Links | |:----------------|:------------------:|:-----------:|:------------------:|-----------------------------------------|-----------------------------------------| | Kubernetes Security Check | KSV003 | Default capabilities not dropped | LOW |

Expand...

The container should drop all default capabilities and add only those that are needed for its execution.

Container 'RELEASE-NAME-syncthing' of Deployment 'RELEASE-NAME-syncthing' should add 'ALL' to 'securityContext.capabilities.drop'

Expand...

https://kubesec.io/basics/containers-securitycontext-capabilities-drop-index-all/
https://avd.aquasec.com/appshield/ksv003

Expand...

'runAsNonRoot' forces the running image to run as a non-root user to ensure least privileges.

Container 'autopermissions' of Deployment 'RELEASE-NAME-syncthing' should set 'securityContext.runAsNonRoot' to true

Expand...

https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
https://avd.aquasec.com/appshield/ksv012

| | Kubernetes Security Check | KSV013 | Image tag ':latest' used | LOW |

Expand...

It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.

Container 'RELEASE-NAME-syncthing' of Deployment 'RELEASE-NAME-syncthing' should specify an image tag

Expand...

https://kubernetes.io/docs/concepts/configuration/overview/#container-images
https://avd.aquasec.com/appshield/ksv013

| | Kubernetes Security Check | KSV013 | Image tag ':latest' used | LOW |

Expand...

It is best to avoid using the ':latest' image tag when deploying containers in production. Doing so makes it hard to track which version of the image is running, and hard to roll back the version.

Container 'autopermissions' of Deployment 'RELEASE-NAME-syncthing' should specify an image tag

Expand...

https://kubernetes.io/docs/concepts/configuration/overview/#container-images
https://avd.aquasec.com/appshield/ksv013

| | Kubernetes Security Check | KSV014 | Root file system is not read-only | LOW |

Expand...

An immutable root file system prevents applications from writing to their local disk. This can limit intrusions, as attackers will not be able to tamper with the file system or write foreign executables to disk.

Container 'autopermissions' of Deployment 'RELEASE-NAME-syncthing' should set 'securityContext.readOnlyRootFilesystem' to true

Expand...

https://kubesec.io/basics/containers-securitycontext-readonlyrootfilesystem-true/
https://avd.aquasec.com/appshield/ksv014

Expand...

A program inside the container can bypass Seccomp protection policies.

Container 'RELEASE-NAME-syncthing' of Deployment 'RELEASE-NAME-syncthing' should specify a seccomp profile

Expand...

https://kubesec.io/basics/metadata-annotations-container-seccomp-security-alpha-kubernetes-io-pod/
https://avd.aquasec.com/appshield/ksv019

Expand...

A program inside the container can bypass Seccomp protection policies.

Container 'autopermissions' of Deployment 'RELEASE-NAME-syncthing' should specify a seccomp profile

Expand...

https://kubesec.io/basics/metadata-annotations-container-seccomp-security-alpha-kubernetes-io-pod/
https://avd.aquasec.com/appshield/ksv019

Expand...

Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.

Container 'RELEASE-NAME-syncthing' of Deployment 'RELEASE-NAME-syncthing' should set 'securityContext.runAsUser' > 10000

Expand...

https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020

Expand...

Force the container to run with user ID > 10000 to avoid conflicts with the host’s user table.

Container 'autopermissions' of Deployment 'RELEASE-NAME-syncthing' should set 'securityContext.runAsUser' > 10000

Expand...

https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv020

Expand...

Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.

Container 'RELEASE-NAME-syncthing' of Deployment 'RELEASE-NAME-syncthing' should set 'securityContext.runAsGroup' > 10000

Expand...

https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021

Expand...

Force the container to run with group ID > 10000 to avoid conflicts with the host’s user table.

Container 'autopermissions' of Deployment 'RELEASE-NAME-syncthing' should set 'securityContext.runAsGroup' > 10000

Expand...

https://kubesec.io/basics/containers-securitycontext-runasuser/
https://avd.aquasec.com/appshield/ksv021

| ## Containers ##### Detected Containers tccr.io/truecharts/alpine:v3.14.2@sha256:4095394abbae907e94b1f2fd2e2de6c4f201a5b9704573243ca8eb16db8cdb7c tccr.io/truecharts/syncthing:v1.18.4@sha256:cc2bd691927ec19b9aac2d4a3e2330cb0ce9458dda761ead7dddd5f2d8338221 ##### Scan Results #### Container: tccr.io/truecharts/alpine:v3.14.2@sha256:4095394abbae907e94b1f2fd2e2de6c4f201a5b9704573243ca8eb16db8cdb7c (alpine 3.14.2) **alpine** | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42379 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42380 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42380
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42381 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42382 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42383 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42384 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42385 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42386 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42374 | MEDIUM | 1.33.1-r3 | 1.33.1-r4 |

Expand...

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42374
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

| | busybox | CVE-2021-42375 | MEDIUM | 1.33.1-r3 | 1.33.1-r5 |

Expand...

| | ssl_client | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42379 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42380 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42381 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42382 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42383 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42384 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42385 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42386 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42374 | MEDIUM | 1.33.1-r3 | 1.33.1-r4 |

Expand...

| | ssl_client | CVE-2021-42375 | MEDIUM | 1.33.1-r3 | 1.33.1-r5 |

Expand...

| #### Container: tccr.io/truecharts/syncthing:v1.18.4@sha256:cc2bd691927ec19b9aac2d4a3e2330cb0ce9458dda761ead7dddd5f2d8338221 (alpine 3.14.2) **alpine** | Package | Vulnerability | Severity | Installed Version | Fixed Version | Links | |:----------------|:------------------:|:-----------:|:------------------:|:-------------:|-----------------------------------------| | busybox | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42379 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42380 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42381 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42382 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42383 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42384 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42385 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42386 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | busybox | CVE-2021-42374 | MEDIUM | 1.33.1-r3 | 1.33.1-r4 |

Expand...

| | busybox | CVE-2021-42375 | MEDIUM | 1.33.1-r3 | 1.33.1-r5 |

Expand...

| | ssl_client | CVE-2021-42378 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42379 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42380 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42381 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42382 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42383 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42384 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42385 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42386 | HIGH | 1.33.1-r3 | 1.33.1-r6 |

Expand...

| | ssl_client | CVE-2021-42374 | MEDIUM | 1.33.1-r3 | 1.33.1-r4 |

Expand...

| | ssl_client | CVE-2021-42375 | MEDIUM | 1.33.1-r3 | 1.33.1-r5 |

Expand...

| **gobinary** | No Vulnerabilities found | |:---------------------------------|