[Support] How to manage known vulenerabilities in user images

[GeorgianaElena]

The Freshdesk ticket link

https://2i2c.freshdesk.com/a/tickets/1495

Ticket request type

Feature Request

Ticket impact

🟧 High

Short ticket description

Implement a check for know vulnerabilities and prohibit (or require admin aproval) to run from images that contain know vulnerabilities.

(Optional) Investigation results

For the recent jupyter-server-proxy vulnerability we are temporarily attempting to patch it on server startup https://github.com/2i2c-org/infrastructure/blob/dab06b9fa79cab504aa80f7fc4d32b3d96d7e393/helm-charts/basehub/values.yaml#L301

Actions

• If a decision is made about this, followup with Julius at https://2i2c.freshdesk.com/a/tickets/1495

[consideRatio]

I think this isn't something we should commit work towards, it may give a false sense of security if we say we keep their user environments secure by scanning and/or attempting to patch them before they are used - its an impossible task.

I'd like to close this as a "wont fix".

I think there is related things we could do:

• Declare that we will work to patch things upstreams for misc images if we detect severe vulnerabilities, and possibly notify communities if they need to update if something severe has been reported
  • jupyter/docker-stacks
  • pangeo/pangeo-docker-images
  • rocker/rocker-versioned2

I think anything we do in this space needs to be very tightly scoped and clearly specified though, and I'd favor not committing to anything but instead actually showing up doing things as we already do where we manage - like securing communities from the critical vulnerability in jupyter-server-proxy.