CVE-2020-8130

[gh-skatt]

Please re-build this image so we the security update for rake, package version '12.3.1-3+deb10u1' (or newer).

+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
| rake    | CVE-2020-8130    | HIGH     | 0.9.6             | 12.3.3        | rake: OS Command Injection           |
|         |                  |          |                   |               | via egrep in Rake::FileList          |
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-8130 |
+---------+------------------+----------+-------------------+---------------+--------------------------------------+

[wglambert]

$ docker run -it --rm ruby bash
Unable to find image 'ruby:latest' locally
latest: Pulling from library/ruby
d960726af2be: Pull complete 
e8d62473a22d: Pull complete 
8962bc0fad55: Pull complete 
65d943ee54c1: Pull complete 
532f6f723709: Pull complete 
c405d0102486: Pull complete 
6d968b689a19: Pull complete 
e7126e1dfb7b: Pull complete 
Digest: sha256:9ed07720a7cfcfdff947d998ff2164381542b9049ecae7c15ae7d9757a7e4dfd
Status: Downloaded newer image for ruby:latest

root@d4855498b9dd:/# rake -V
rake, version 13.0.3

$ docker run -it --rm ruby:2.5 bash
Unable to find image 'ruby:2.5' locally
2.5: Pulling from library/ruby
d960726af2be: Already exists 
e8d62473a22d: Already exists 
8962bc0fad55: Already exists 
65d943ee54c1: Already exists 
532f6f723709: Already exists 
c405d0102486: Already exists 
8c68e968010d: Pull complete 
7d5c89a63834: Pull complete 
Digest: sha256:d273723056dda84bda81454eb42743c6c29fdf2c2d4d42bddf8e3dca8bb99aa4
Status: Downloaded newer image for ruby:2.5

root@1b47625fc33c:/# rake -V
rake, version 12.3.3

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, #117, #94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[tianon]

It also sounds like you might be installing rake via APT, which in this image will result in two separate versions of Ruby installed, so you probably want to revisit/reconsider that.