ECR image scanning criticals for latest image #472
Comments
wglambert
added
the
question
|
And docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185. A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images). https://security-tracker.debian.org/tracker/CVE-2019-19813
https://security-tracker.debian.org/tracker/CVE-2019-19816
https://security-tracker.debian.org/tracker/CVE-2019-19814
https://security-tracker.debian.org/tracker/CVE-2019-5482
https://security-tracker.debian.org/tracker/CVE-2019-19815
https://security-tracker.debian.org/tracker/CVE-2013-7445
https://security-tracker.debian.org/tracker/CVE-2019-19074
|
|
Six of the severn vulnerabilities you show in the screenshot are kernel vulnerabilities and the Docker Official-Images never contain a kernel, so those are issues with the scanning host (or scanning software) and not the image. As for the other vulnerability (https://security-tracker.debian.org/tracker/CVE-2019-5482), the current image already has the most up-to-date version of curl at docker run -it --rm wordpress bash
Unable to find image 'wordpress:latest' locally
latest: Pulling from library/wordpress
68ced04f60ab: Pull complete
1d2a5d8fa585: Pull complete
5d59ec4ae241: Pull complete
d42331ef4d44: Pull complete
408b7b7ee112: Pull complete
570cd47896d5: Pull complete
2419413b2a16: Pull complete
8c722e1dceb9: Pull complete
34fb68439fc4: Pull complete
e775bf0f756d: Pull complete
b1949a1e9661: Pull complete
6ed8bcec42ae: Pull complete
f6247da7d55f: Pull complete
a090bafe99ea: Pull complete
1499724c614a: Pull complete
838e071223d3: Pull complete
4f3f081f645a: Pull complete
5727cb8d10d6: Pull complete
77e0ad51ba4d: Pull complete
00c188d7a522: Pull complete
0421cc6f1038: Pull complete
Digest: sha256:6e17ef2ddd5ec3a0d4c8e86df409dc702db205330823df70518ce3f192e9b6c7
Status: Downloaded newer image for wordpress:latest
root@d916317a4504:/var/www/html# apt-get update
Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://security-cdn.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:4 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:5 http://security-cdn.debian.org/debian-security buster/updates/main amd64 Packages [181 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7380 B]
Fetched 8331 kB in 2s (4177 kB/s)
Reading package lists... Done
root@d916317a4504:/var/www/html# apt-get upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@d916317a4504:/var/www/html# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@d916317a4504:/var/www/html# dpkg -l | grep curl
ii curl 7.64.0-4+deb10u1 amd64 command line tool for transferring data with URL syntax
ii libcurl4:amd64 7.64.0-4+deb10u1 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour) |
we are planning to use official image but Seeing following critical issues on Image , is there any work being started to resolve these issues?
The text was updated successfully, but these errors were encountered: