Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions about official image vulnerabilities and scan cycles #28

Closed
june5079 opened this issue Apr 14, 2023 · 1 comment
Closed

Questions about official image vulnerabilities and scan cycles #28

june5079 opened this issue Apr 14, 2023 · 1 comment

Comments

@june5079
Copy link

Thank you for creating the Docker Official Image.
We are scanning for a number of security elements as we consider adopting the Docker Official Image in our organization.

I would like to ask about your scanning policy for Docker Official Images.
For CVE-2023-23914, which was recently categorized as a critical vulnerability, when I scan the alpine:3.17 official image with the Trivy tool, it shows that there is a vulnerability.

However, the image currently listed on Docker shows that it was updated 16 days ago. I would like to know how often the Docker official image is scanned and updated if a vulnerability is found.

  • Trivy Scan Result on alpine:3.17
    image

  • Docker Official Image pushed 16 days ago
    image
@yosifkit
Copy link
Member

yosifkit commented Apr 14, 2023
edited
Loading

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame.
[...]
We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule. These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt

- https://github.com/docker-library/faq/tree/4f51e1b995017ab10dab85fed304bce60fb7fa37#why-does-my-security-scanner-show-that-an-image-has-cves

As far as scanning, the Docker Scout vulnerability report on Docker Hub in always up-to-date (click on one of the digests on the tags page to see a report of any vulnerabilities found).

You mention Alpine 3.17, but your scan looks like it is for an nginx image (since the alpine:3.17 image does not come with curl installed). So, this would be a duplicate of nginxinc/docker-nginx#760. The images are already updated to the fixed version; you likely need to pull an updated nginx:stable-alpine image. Maybe you want the nginx:stable-alpine-slim image that includes fewer dependencies (and features)?

$ docker run -it --rm nginx:alpine sh
Unable to find image 'nginx:alpine' locally
alpine: Pulling from library/nginx
f56be85fc22e: Already exists
2ce963c369bc: Pull complete
59b9d2200e63: Pull complete
3e1e579c95fe: Pull complete
547a97583f72: Pull complete
1f21f983520d: Pull complete
c23b4f8cf279: Pull complete
Digest: sha256:dd2a9179765849767b10e2adde7e10c4ad6b7e4d4846e6b77ec93f080cd2db27
Status: Downloaded newer image for nginx:alpine
/ # apk info -v | grep curl
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/community: No such file or directory
libcurl-7.88.1-r1
curl-7.88.1-r1

Side note: stable vs mainline releases: https://serverfault.com/a/715126

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yosifkit @june5079