This repository can be used to demo Docker Scout with an ASP.NET Core application.
Note: Enable containerd in your DD to make attestations work.
$ docker buildx b . -f Dockerfile.alpine \
-t christiandupuis299/aspnetapp:main \
--attest type=sbom,generator=docker/scout-sbom-indexer:1 \
--provenance=1 --load --no-cache --platform linux/amd64,linux/arm64
This sample has been modified from original to include some .NET Core specific vulnerabilties:
$ docker scout cves christiandupuis299/aspnetapp:main --only-package-type nuget
✓ SBOM obtained from attestation, 335 packages found
✓ Provenance obtained from attestation
✗ Detected 2 vulnerable packages with a total of 4 vulnerabilities
## Overview
│ Analyzed Image
────────────────────┼───────────────────────────────────────────────
Target │ christiandupuis299/aspnetapp:main
digest │ ac768bd0366f
platform │ linux/arm64
provenance │ ssh://github.com/dotnet/dotnet-docker
│ 7d4d56941607d8521d500be152d66bb7d9e3dbf0
vulnerabilities │ 0C 1H 3M 0L
size │ 55 MB
packages │ 313
│
Base image │ mcr.microsoft.com/dotnet/aspnet:8.0-alpine
│ 25b1e6815f4f
## Packages and Vulnerabilities
0C 1H 0M 0L Npgsql 8.0.1.0
pkg:nuget/[email protected]
Dockerfile.alpine (22:22)
COPY --from=build /app .
✗ HIGH CVE-2024-32655 [Integer Overflow or Wraparound]
https://scout.docker.com/v/CVE-2024-32655
Affected range : >=8.0.0
: <8.0.3
Fixed version : 8.0.3
CVSS Score : 8.1
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score : 0.05%
EPSS Percentile : 17th percentile
0C 0H 3M 0L BouncyCastle.Cryptography 2.3.0.53016
pkg:nuget/[email protected]
Dockerfile.alpine (22:22)
COPY --from=build /app .
✗ MEDIUM CVE-2024-30171 [Observable Discrepancy]
https://scout.docker.com/v/CVE-2024-30171
Affected range : <2.3.1
Fixed version : 2.3.1
CVSS Score : 5.9
CVSS Vector : CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
✗ MEDIUM CVE-2024-30172 [Loop with Unreachable Exit Condition ('Infinite Loop')]
https://scout.docker.com/v/CVE-2024-30172
Affected range : <2.3.1
Fixed version : 2.3.1
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
✗ MEDIUM CVE-2024-29857 [Uncontrolled Resource Consumption]
https://scout.docker.com/v/CVE-2024-29857
Affected range : <2.3.1
Fixed version : 2.3.1
CVSS Score : 5.3
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4 vulnerabilities found in 2 packages
LOW 0
MEDIUM 3
HIGH 1
CRITICAL 0
With containerd enabled, local policy evaluation will work and yield some interesting results:
docker scout policy christiandupuis299/aspnetapp:main
✓ SBOM obtained from attestation, 335 packages found
✓ Provenance obtained from attestation
✓ Policy evaluation completed
## Overview
│ Analyzed Image
─────────────┼──────────────────────────────────────
Target │ christiandupuis299/aspnetapp:main
digest │ 64f44fb1d7d4
platform │ linux/arm64
## Policies
Policy status FAILED (6/9 policies met)
Status │ Policy │ Results
─────────┼─────────────────────────────────────────────────┼──────────────────────────────
✓ │ Copyleft licenses │ 0 packages
! │ Default non-root user │
! │ Fixable critical and high CVEs (Production SLA) │ 4 deviations
✓ │ Fixable critical and high vulnerabilities │ 0C 0H 0M 0L
✓ │ High-profile vulnerabilities │ 0C 0H 0M 0L
✓ │ No embedded secrets │ 0 deviations
✓ │ Outdated base images │
✓ │ Supply chain attestations │ 0 deviations
! │ Unapproved base images │ 1 deviation
## "Default non-root user" policy evaluation results
Ensures the image specifies a non-root username (or UID) for the final stage.
User │ Explicit
───────┼───────────
root │ false
## "Fixable critical and high CVEs (Production SLA)" policy evaluation results
This policy checks for fixable critical and high CVEs
Purl │ Vulnerability │ Fixed by │ Severity │ Score │ Epss
───────────────────────────────────────────────────────────────────┼────────────────┼────────────┼──────────┼───────┼───────────────
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42366 │ 1.36.1-r16 │ MEDIUM │ 5.50 │ 0.04% (0.12)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42363 │ 1.36.1-r17 │ MEDIUM │ 5.50 │ 0.04% (0.12)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42364 │ 1.36.1-r17 │ MEDIUM │ 5.50 │ 0.04% (0.12)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.19 │ CVE-2023-42365 │ 1.36.1-r17 │ MEDIUM │ 5.50 │ 0.04% (0.12)
## "Unapproved base images" policy evaluation results
Base images must be from approved sources.
Base image │ Reason
─────────────────────────────────────────────┼──────────────────────────────────────────────
mcr.microsoft.com/dotnet/aspnet:8.0-alpine │ Does not match any approved glob expression
This sample demonstrates how to build container images for ASP.NET Core web apps. See .NET Docker Samples for more samples.
Note: .NET 8 container images use port
8080
, by default. Previous .NET versions used port80
. The instructions for the sample assume the use of port8080
.
You can start by launching a sample from our container registry and access it in your web browser at http://localhost:8000
.
docker run --rm -it -p 8000:8080 -e ASPNETCORE_HTTP_PORTS=8080 mcr.microsoft.com/dotnet/samples:aspnetapp
You can also call an endpoint that the app exposes:
$ curl http://localhost:8000/Environment
{"runtimeVersion":".NET 8.0.0-preview.6.23329.7","osVersion":"Ubuntu 22.04.2 LTS","osArchitecture":"Arm64","user":"app","processorCount":4,"totalAvailableMemoryBytes":4124442624,"memoryLimit":0,"memoryUsage":31518720,"hostName":"78e2b2cfc0e8"}
This container image is built with Ubuntu Chiseled, with Dockerfile.
You can change the port ASP.NET Core uses with one of the following environment variables. However, port 8080
(set by default) is recommended.
The following examples change the port to port 80
.
Supported with .NET 8+:
ASPNETCORE_HTTP_PORTS=80
Supported with .NET Core 1.0+
ASPNETCORE_URLS=http://+:80
Note: ASPNETCORE_URLS
overwrites ASPNETCORE_HTTP_PORTS
if set.
These environment variables are used in .NET 8 and .NET 6 Dockerfiles, respectively.
You can built an image using one of the provided Dockerfiles.
docker build --pull -t aspnetapp .
docker run --rm -it -p 8000:8080 -e ASPNETCORE_HTTP_PORTS=8080 aspnetapp
You should see the following console output as the application starts:
> docker run --rm -it -p 8000:8080 -e ASPNETCORE_HTTP_PORTS=8080 aspnetapp
info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://[::]:8080
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
After the application starts, navigate to http://localhost:8000
in your web browser. You can also view the ASP.NET Core site running in the container from another machine with a local IP address such as http://192.168.1.18:8000
.
Note: ASP.NET Core apps (in official images) listen to port 8080 by default, starting with .NET 8. The
-p
argument in these examples maps host port8000
to container port8080
(host:container
mapping). The container will not be accessible without this mapping. ASP.NET Core can be configured to listen on a different or additional port.
You can see the app running via docker ps
.
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
d79edc6bfcb6 mcr.microsoft.com/dotnet/samples:aspnetapp "./aspnetapp" 35 seconds ago Up 34 seconds (healthy) 0.0.0.0:8080->8080/tcp nice_curran
You may notice that the sample includes a health check, indicated in the "STATUS" column.
The easiest way to build images is with the SDK.
dotnet publish /p:PublishProfile=DefaultContainer
That command can be further customized to use a different base image and publish to a container registry. You must first use docker login
to login to the registry.
dotnet publish /p:PublishProfile=DefaultContainer /p:ContainerBaseImage=mcr.microsoft.com/dotnet/aspnet:8.0-jammy-chiseled /p:ContainerRegistry=docker.io /p:ContainerRepository=youraccount/aspnetapp
The .NET Team publishes images for multiple distros.
Samples are provided for:
- Alpine
- Alpine with Composite ready-to-run image
- Alpine with ICU installed
- Debian
- Ubuntu
- Ubuntu Chiseled
- Ubuntu Chiseled with Composite ready-to-run image
The .NET Team publishes images for multiple Windows versions. You must have Windows containers enabled to use these images.
Samples are provided for
Windows variants of the sample can be pulled via one the following registry addresses:
mcr.microsoft.com/dotnet/samples:aspnetapp-nanoserver-1809
mcr.microsoft.com/dotnet/samples:aspnetapp-nanoserver-ltsc2022