github.com/google/osv-scalibr@v0.4.1/detector/misc/dockersocket/dockersocket_dummy.go (about) 1 // Copyright 2025 Google LLC 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 //go:build windows 16 17 // Package dockersocket implements a detector for Docker socket exposure vulnerabilities. 18 package dockersocket 19 20 import ( 21 "context" 22 "io/fs" 23 24 "github.com/google/osv-scalibr/detector" 25 scalibrfs "github.com/google/osv-scalibr/fs" 26 "github.com/google/osv-scalibr/inventory" 27 "github.com/google/osv-scalibr/packageindex" 28 "github.com/google/osv-scalibr/plugin" 29 ) 30 31 const ( 32 // Name of the detector. 33 Name = "dockersocket" 34 ) 35 36 // Detector is a SCALIBR Detector for Docker socket exposure vulnerabilities. 37 type Detector struct{} 38 39 // New returns a detector. 40 func New() detector.Detector { 41 return &Detector{} 42 } 43 44 // Name of the detector. 45 func (Detector) Name() string { return Name } 46 47 // Version of the detector. 48 func (Detector) Version() int { return 0 } 49 50 // RequiredExtractors returns an empty list as there are no dependencies. 51 func (Detector) RequiredExtractors() []string { return []string{} } 52 53 // Requirements of the Detector. 54 func (Detector) Requirements() *plugin.Capabilities { return &plugin.Capabilities{OS: plugin.OSUnix} } 55 56 // Scan starts the scan. 57 func (d Detector) Scan(ctx context.Context, scanRoot *scalibrfs.ScanRoot, px *packageindex.PackageIndex) (inventory.Finding, error) { 58 return d.ScanFS(ctx, scanRoot.FS, px) 59 } 60 61 // DetectedFinding returns generic vulnerability information about what is detected. 62 func (d Detector) DetectedFinding() inventory.Finding { 63 return d.findingForTarget(nil) 64 } 65 66 func (Detector) findingForTarget(target *inventory.GenericFindingTargetDetails) inventory.Finding { 67 return inventory.Finding{GenericFindings: []*inventory.GenericFinding{{ 68 Adv: &inventory.GenericFindingAdvisory{ 69 ID: &inventory.AdvisoryID{ 70 Publisher: "SCALIBR", 71 Reference: "docker-socket-exposure", 72 }, 73 Title: "Docker Socket Exposure Detection", 74 Description: "Docker socket exposure can lead to privilege escalation and container escape vulnerabilities. " + 75 "Insecure Docker socket permissions, daemon configuration, or systemd service settings " + 76 "may allow unauthorized access to the Docker API, potentially compromising the entire host system.", 77 Recommendation: "Secure Docker socket by: 1) Setting appropriate file permissions (660) on /var/run/docker.sock, " + 78 "2) Configuring daemon.json to use TLS authentication for remote API access, " + 79 "3) Ensuring systemd service configurations use secure API bindings with proper authentication.", 80 Sev: inventory.SeverityHigh, 81 }, 82 Target: target, 83 }}} 84 } 85 86 // ScanFS starts the scan from a pseudo-filesystem. 87 func (d Detector) ScanFS(ctx context.Context, fsys fs.FS, px *packageindex.PackageIndex) (inventory.Finding, error) { 88 // This detector only works on Unix-like systems (not Windows) 89 return inventory.Finding{}, nil 90 }