Skip to content
This repository has been archived by the owner on Oct 18, 2022. It is now read-only.

Docker image has vulnerabilities #95

Closed
kulprasanna opened this issue Aug 24, 2017 · 10 comments
Closed

Docker image has vulnerabilities #95

kulprasanna opened this issue Aug 24, 2017 · 10 comments

Comments

@kulprasanna
Copy link

Hi
Our client is buying a product implemented on docker containers. It uses ubuntu's official docker images. Our infra org is not allowing the product because the image has vulnerabilities.
I see that vulnerabilities are in packages such as ncurses. We are not using ncurses. How could we remove those vulnerabilities. Please help.
@graingert
Copy link

apt-get remove ncurses

@kulprasanna
Copy link
Author

@graingert Thank you. Just to be clear since I am a bit new to this world, I would take the dockerfile (https://github.com/tianon/docker-brew-ubuntu-core/blob/a2573609340194bf33712c1fa2dc4de8f9b70ca2/zesty/Dockerfile) of the ubuntu 17.0.4 image, and add apt-get remove ncurses command. Is this correct?

FROM scratch
ADD ubuntu-zesty-core-cloudimg-amd64-root.tar.gz /
RUN apt-get remove ncurses

@graingert
Copy link

No do

FROM ubuntu:zesty
RUN apt-get remove ncurses

But I'm not sure if that will leave you with a working Ubuntu

@kulprasanna
Copy link
Author

Sure. But there are critical vulnerabilities listed below in docker hub scans and our infra org would not allow to install the image with critical vulnerabilities.

ncurses 6.0+20160625-1ubuntu1
MIT-like:Permissive License
CVE-2017-10684
CVE-2017-10685
CVE-2017-11112
CVE-2017-11113

@graingert
Copy link

Yeah so you remove ncurses from the image in a new layer

@kulprasanna
Copy link
Author

Do you think dockerhub will still report the vulnerabilities since they existed in the first layer?

@graingert
Copy link

Who cares, you know there's no vulnerabilities because you just uninstalled them. You're misinterpreting your tools if you think you shouldn't use an image you know is secure

@kulprasanna
Copy link
Author

I agree. Thanks again. I will work on it and convince the security org.

@tianon
Copy link
Owner

tianon commented Aug 24, 2017

As has been pointed out to you at least three times now (https://twitter.com/kulprasanna/status/900389125710385152, #90 (comment), and now here), this is not an actionable issue -- unless package updates are provided, there's nothing we can do.

A few more useful questions would include:

  • Are the reported vulnerabilities meaningful, especially for how the image is used?
  • Is there a fix available from upstream?
  • Is there a fix available from the distribution who provided the package?

The situation is a highly nuanced one, and just knowing that ABC image contains packages or binaries which are "vulnerable" to CVEs X, Y, and Z is often simply noise. If there are updated packages available, this image will be updated.

In the future, requests for help would be better suited to the Docker Community Forums, the Docker Community Slack, or Stack Overflow. GitHub issues should be reserved for (fixable) problems with the image itself, and requests to the personal Twitter accounts of image maintainers are certainly out of place. Additionally, if your organization requires professional assistance, there are a number of Authorized Docker Partners who should be able to help. Thanks!

@tianon tianon closed this as completed Aug 24, 2017
@kulprasanna
Copy link
Author

@tianon thank you. This is very helpful.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @graingert @kulprasanna