Vulnerabilities Issue Within php:<version>-apache Image Variants

[codetochangeMinds]

There is a vulnerability issue with php:<version>-apache images. The alpine variants are not reporting any vulnerabilities but apache based image are reporting vulnerability issue. The below is the result which I got after scanning the image using docker scan php:8.0.10-apache-buster. Are there any other secure options for php + apache?

Package manager: deb
Project name: docker-image|php
Docker image: php:apache-buster
Platform: linux/amd64
Base image: php:8.0.10-apache-buster

Tested 176 dependencies for known vulnerabilities, found 172 vulnerabilities.

Base Image Vulnerabilities Severity
php:8.0.10-apache-buster 172 16 high, 11 medium, 145 low

Recommendations for base image upgrade:

Alternative image types
Base Image Vulnerabilities Severity
php:8.1-rc-cli 66 2 high, 1 medium, 63 low
php:8.1-rc-fpm-bullseye 66 2 high, 1 medium, 63 low
php:8.1-rc-zts-bullseye 66 2 high, 1 medium, 63 low
php:fpm-bullseye 66 2 high, 1 medium, 63 low

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

[wglambert]

For the Debian variant you can check the CVE status over at https://security-tracker.debian.org/tracker/CVE-2021-3712 (search for any specific CVE)

All packages in php:8.0.10-apache-buster are up to date

$ docker run -it --rm php:8.0.10-apache-buster bash
Unable to find image 'php:8.0.10-apache-buster' locally
8.0.10-apache-buster: Pulling from library/php
a330b6cecb98: Pull complete 
e27954d5e890: Pull complete 
800008126927: Pull complete 
e0746dd2f27f: Pull complete 
27af26c5dec7: Pull complete 
0e310a2e3a56: Pull complete 
326ebb7fb18a: Pull complete 
1b9675c764b2: Pull complete 
67e6c76db388: Pull complete 
fc6129b566f8: Pull complete 
00e91aa3db71: Pull complete 
77097f527ea6: Pull complete 
d387efbf63be: Pull complete 
Digest: sha256:0865edc2170f3f7dfd624b7981151baeb8c4c095b8c30125dc209f0acbd34e8f
Status: Downloaded newer image for php:8.0.10-apache-buster

root@5b2198503c1c:/var/www/html# apt update && apt list upgradeable
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [51.9 kB] 
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [302 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [15.2 kB]
Fetched 8464 kB in 2s (3996 kB/s)
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Listing... Done

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, #242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).