Closed DaleBinghamSoteriaSoft closed 2 years ago
Based on this https://github.com/Cingulara/openrmf-docs/blob/develop/base-container-image/Dockerfile we are using 3.15.0 for the alpine base and there is a 3.16.1 to test across all the base image and then resulting final images. https://hub.docker.com/_/alpine?tab=tags
NGINX unprivileged also is at 1.23 so that should be updated https://github.com/Cingulara/openrmf-web/blob/master/Dockerfile
The other non-web non-NGINX containers use something like this https://github.com/Cingulara/openrmf-api-template/blob/develop/Dockerfile with the 1.04.00 base image getting the compiled code. So that has to be updated from above and then redone across all images.
Working these today as well as updates to the latest DISA templates.
alpine 3.16.2 latest base image on all components NGINX nginxinc/nginx-unprivileged:1.23-alpine
Closed with https://github.com/Cingulara/openrmf-docs/releases/tag/v1.8.2 latest release based on the super large list. Updated the base images to fix.
Describe the bug Attached and below are details from a Twistlock scan of the OpenRMF ISS 1.8.1 container. This is a standard part of getting containers approved for deployment in our devsecops pipeline. There's potential for admin/policy mitigation for some, maybe all, but any support from the development team to address the findings is welcomed.
To Reproduce Scan the containers thoroughly.
Expected behavior Cleaner scans including OS level information for Debian in the MS containers.
Additional context It looks like a good chunk of them are duplicative and may be remediated by updating the base container image from debian 9 to debian 9 update 1.
openrmf-twistlock-scan-results.zip