search

Azure / azure-functions-docker

This repo contains the base Docker images for working with azure functions
MIT License
258 stars 117 forks source link

Security risks reported by scan for debian #898

Open morevishal64 opened 1 year ago

morevishal64 commented 1 year ago

We have performed blackduck scan on mcr.microsoft.com/azure-functions/python:4-python3.10, it reported below 3 high security risks with debian. Please check and help to resolve these risks -

  1. Common Unix Printing System (CUPS) 1.2.7
  2. Linux Kernel 5.10.140
  3. Linux Kernel 5.10.149 image
bhagyshricompany commented 1 year ago

We are investigatingon this But you can try below options. The security risks you mentioned are related to the Debian packages used in the mcr.microsoft.com/azure-functions/python:4-python3.10 image. To address these risks, you have a few options:

Keep the base image up to date: Check if there are newer versions of the mcr.microsoft.com/azure-functions/python image available that address these security vulnerabilities. Microsoft regularly updates their base images to include the latest security patches and fixes. You can pull the latest version of the image and rebuild your application using that.

Apply security patches: If updating the base image is not feasible, you can manually patch the specific packages mentioned in the security report. For example, you can use the apt package manager to update the CUPS package and the Linux kernel packages to their latest versions. You can run the following commands in your Dockerfile:

Dockerfile Copy code RUN apt-get update && apt-get install -y cups RUN apt-get update && apt-get upgrade -y linux-image-5.10.140 linux-image-5.10.149 This will install the latest version of CUPS and upgrade the Linux kernel packages to the specified versions.

Use alternative base images: If you're concerned about the security risks associated with the base image, you can consider using alternative base images that are regularly updated and maintained by the community. For example, you can use the official Python Docker images provided by the Python Software Foundation (python:), which are frequently updated and include security patches.

It's important to regularly monitor and update your Docker images to address any security vulnerabilities. Additionally, consider implementing other security best practices, such as using minimal and purpose-specific images, following the principle of least privilege, and regularly scanning and monitoring your containerized applications for security risks

morevishal64 commented 1 year ago

Below options we have tried -

  1. Used latest available base image and also tried below images
    • mcr.microsoft.com/azure-functions/python:4-python3.10
    • mcr.microsoft.com/azure-functions/python:4-python3.10-slim
    • mcr.microsoft.com/azure-functions/python:4-nightly-python3.10
  2. Applied security patches as suggested but due to some (proxy securities)reasons we are unable to perform apt-get update so this option is not suitable
  3. tried alternative base images from dokerhub instead of mcr None of the above option worked
bhagyshricompany commented 1 year ago

@pragnagopa pls comment and validate