clair scan reveal multiple vulnerabilities

[svadnala]

Hi there, tried upgrading our image using nginx:1.17.6 base image (previously used 1.17.0) , everything went fine, however a clair scan revealed N nubmer of vulnerabilities and it seems like the latest published image has not been fully patched from a security standpoint.

Can you please look into this.

./clair-scanner -c http://docker:6060 --ip 172.17.0.3 -r gl-container-scanning-report.json -l clair.log -w clair-whitelist.yml ui-image:latest

2019/12/16 19:42:48 [INFO] ▶ Start clair-scanner
2019/12/16 19:42:50 [INFO] ▶ Server listening on port 9279
2019/12/16 19:42:50 [INFO] ▶ Analyzing a4e2f1136e50ce782b4712f7f31628a9d8d973035072f6d7a2c5728c87270dc0
2019/12/16 19:42:50 [INFO] ▶ Analyzing c8f195944aac1c8f868dba8fa4537bc358030fa3676f6a596cf5064b477f8076
2019/12/16 19:42:50 [INFO] ▶ Analyzing d1768ce0e1c77c0650ee06be7357caf1a961843f92b192d750fd52f47f8487ac
2019/12/16 19:42:50 [INFO] ▶ Analyzing e4c6d7dc534070fc512bf6b81e190f88ea8c540d1cd6994b0d323bcf8584ef2f
2019/12/16 19:42:50 [INFO] ▶ Analyzing 9d271d6e1755f0c304e41776f4da13343b8c7f192002338e66716b8bdaeb07cb
2019/12/16 19:42:50 [WARN] ▶ Image [ui-image:latest] contains 112 total vulnerabilities
2019/12/16 19:42:50 [ERRO] ▶ Image [ui-image:latest] contains 112 unapproved vulnerabilities

[mrcasablr]

nginx is slow is adopting upstream minor and major versions of alpine which also includes security fixes

[svadnala]

image in question is based on Debian (buster) OS.

[tianon]

I've just scanned (with Clair, as described in this report) all the latest builds of the supported tags of NGINX, and the only places where there are actual fixable (as in, package updates are available from the distro) CVEs are in nginx:1.16-alpine and nginx:1.16-alpine-perl -- all other versions come back clean when filtering the list to only fixable CVEs (which is all that could possibly be expected to be fixed here).

Even the one that does come back in the older Alpine version is CVE-2019-18197 in libxslt which IMO is pretty minor (Debian tagged it as "no-dsa", for comparison).

[kwaazaar]

But it's fixed in Alpine: https://gitlab.alpinelinux.org/alpine/aports/issues/11074
So no reason not to push fresh images.

[yosifkit]

Official images are not just built again. The build machines make heavy use of Docker build cache and so the only way that a new image happens is if the base image is updated (i.e. alpine:3.10 is built new), the line (or earlier) that installs the "vulnerable" package changes (thus breaking Docker build cache), or the base image changes (e.g. moves to alpine:3.11).

A new Alpine 3.10 image is up to The Alpine image maintainers.

Any changes here would be up to the nginx maintainers if they deem the vulnerability important enough to either change the base or change the line to break build cache. (Holiday travel and the Moscow office raid could affect response time (nytimes))

See also https://github.com/docker-library/faq/#why-does-my-security-scanner-show-that-an-image-has-cves.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need, e.g. docker-library/official-images#2171. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.