[🐛 Bug]: The environment variable SE_VNC_PASSWORD contains sensitive data

[mrbusche]

What happened?

In #2056 an environment variable SE_VNC_PASSWORD was added which is flagged by security scanners. The first release with this commit is https://github.com/SeleniumHQ/docker-selenium/releases/tag/4.16.1-20231212

If I create the image locally as is with ENV SE_VNC_PASSWORD=secret the secret is flagged. If I create with ENV SE_VNC_PASSWORD= then it is not flagged. Is it possible to set the variable without a default value?

Command used to start Selenium Grid with Docker (or Kubernetes)

This is an environment variable issue

Relevant log output

This is an environment variable issue

Operating System

all

Docker Selenium version (tag or chart version)

4.16.1-20231212

[github-actions]

@mrbusche, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[diemol]

It has been always hardcoded somewhere, before it was in the script, and now in the Dockerfile. Why is that different now?

[mrbusche]

It has been always hardcoded somewhere, before it was in the script, and now in the Dockerfile. Why is that different now?

Now it's an explicit ENV variable being set, I don't believe that was the previous functionality based on the commit history I have looked at.

[VietND96]

Before it was

RUN mkdir -p ${HOME}/.vnc \
  && x11vnc -storepasswd secret ${HOME}/.vnc/passwd

I guess the scan tool evaluates it as ENV and contains PASSWORD or something.
Is it a blocker for running the container in your organization? or we can slowly fix in next deploy?

[mrbusche]

Before it was

RUN mkdir -p ${HOME}/.vnc \
  && x11vnc -storepasswd secret ${HOME}/.vnc/passwd

I guess the scan tool evaluates it as ENV and contains PASSWORD or something. Is it a blocker for running the container in your organization? or we can slowly fix in next deploy?

We have "allowed" the specific image to run, so we're not at a hard stop. If you could fix for the next release that would be great.

[VietND96]

@mrbusche, may I know any vulnerability reported in Base image at line ARG SEL_PASSWD=secret?
Updated: after reading some best practices, I think the default value in ARG would not be a problem.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.