Multiple CVEs

[emmaLP]

We are using the ruby:2-7-slim-buster image as a base.

We don't install anything on top of the ruby image but add some layers to implement a non root user.

When I run vulnerability scan against ruby:2-7-slim-buster as well as my built image with ruby as the base I get several critical CVEs

To rule out the CVEs coming from the OS docker image, I have pulled down the latest debian:buster-slim and run a vulnerability scan against it.

I had a quick look at the Dockerfile for ruby:2-7-slim-buster and there is a lot of additional packages that get installed. I have tried removing the additional packages that are used to compile Ruby but the vulnerabilities are still the same

I've attached the results from both

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, #117, #94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

The only packages that are able to be upgraded are libssl/openssl

$ docker run -it --rm ruby:2.7-slim-buster bash
root@d33acc028399:/# apt update && apt upgrade
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://deb.debian.org/debian buster InRelease [122 kB]  
Get:3 http://deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:4 http://security.debian.org/debian-security buster/updates/main amd64 Packages [187 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7380 B]
Fetched 8338 kB in 2s (4239 kB/s)                         
Reading package lists... Done
Building dependency tree       
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  libssl-dev libssl1.1 openssl
3 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 4176 kB of archives.
After this operation, 1024 B of additional disk space will be used.

[tianon]

Yep, Debian was updated in docker-library/official-images#7858, Alpine in docker-library/official-images#7867, and Ubuntu in docker-library/official-images#7865, so at this point it's just a matter of waiting for the queue to process through all the downstream builds.