Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define policy for when images get rebuilt to address package security vulnerabilities. #2787

Closed
MichaelSimons opened this issue May 5, 2021 · 3 comments · Fixed by #5129
Closed

Define policy for when images get rebuilt to address package security vulnerabilities. #2787

MichaelSimons opened this issue May 5, 2021 · 3 comments · Fixed by #5129
Assignees
@lbussell
Labels
area-documentation enhancement
Milestone
.NET 9 Features

Comments

@MichaelSimons
Copy link
Member

If there is a vulnerability in a package included in a .NET layer and there is a package patch available that addresses the CVE, when will the image get rebuilt to pick it up? This should be captured in the Image Update Policy. The image update policy only discusses base image and .NET servicing.

  • We update the supported .NET images within 12 hours of any updates to their base images (e.g. debian:buster-slim, windows/nanoserver:1909, buildpack-deps:bionic-scm, etc.).
  • We publish .NET images as part of releasing new versions of .NET including major/minor and servicing.
@mthalman mthalman moved this to On Deck in .NET Docker Dec 1, 2021
@mthalman mthalman moved this from On Deck to In Progress in .NET Docker Sep 16, 2022
@mthalman mthalman moved this from In Progress to On Deck in .NET Docker Oct 19, 2022
@mthalman mthalman moved this from On Deck to In Progress in .NET Docker Oct 25, 2022
@mthalman mthalman mentioned this issue Nov 1, 2022
Merged
@mthalman mthalman moved this from In Progress to On Deck in .NET Docker Dec 15, 2022
@mthalman mthalman moved this from On Deck to Current Release in .NET Docker May 10, 2023
@mthalman mthalman moved this from Current Release to Post-Release in .NET Docker Aug 16, 2023
@lbussell lbussell moved this from Post-Release to Current Release in .NET Docker Nov 16, 2023
@mthalman mthalman mentioned this issue Dec 14, 2023
Closed
@mthalman
Copy link
Member

The content in #4842 should be included with this.

@lbussell
Copy link
Contributor

[Triage] We have something like this in Vulnerability Workflow, but we should have it written down more concretely when precisely we will re-build, and the Vulnerability Workflow should reference it.

@MichaelSimons MichaelSimons added this to the .NET 9 milestone Jan 22, 2024
@MichaelSimons
Copy link
Member Author

This is a prereq to fixing #1455.

@lbussell lbussell assigned lbussell and unassigned mthalman Jan 23, 2024
@lbussell lbussell moved this from Current Release to Sprint in .NET Docker Jan 23, 2024
@lbussell lbussell moved this from Sprint to In Progress in .NET Docker Jan 23, 2024
@lbussell lbussell mentioned this issue Jan 23, 2024
Merged
@github-project-automation github-project-automation bot moved this from In Progress to Done in .NET Docker Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lbussell lbussell

Labels
area-documentation enhancement
Projects
.NET Docker
Status: Done
Milestone
.NET 9 Features
Development

Successfully merging a pull request may close this issue.

Add policy for rebuilding container images in response to CVEs lbussell/dotnet-docker
3 participants
@MichaelSimons @mthalman @lbussell