search

CircleCI-Public / cimg-gcp

The CircleCI GCP Docker Convenience Image.
https://circleci.com/developer/images/image/cimg/gcp
MIT License
3 stars 2 forks source link

Bug Report: Security vulnerabilities #34

Open nroose opened 1 month ago

nroose commented 1 month ago

Note: We also welcome PRs to fix bugs! This helps us take action faster where a bug has been identified!

For our official CircleCI Docker Convenience Image support policy, please see CircleCI docs.

This policy outlines the release, update, and deprecation policy for CircleCI Docker Convenience Images.

Describe the bug The image has multiple vulnerabilities, many of which are fixed in the upstream packages and so just a rebuild should fix them. From my count: "critical_fixable":1,"high_fixable":14,"medium_fixable":45

To Reproduce Scan the image

Expected behavior The packages to be up to date.

Workarounds It's costly, but we could run the updates and host our own images.

Screenshots and Build Links If possible, add screenshots and links to jobs to help explain your problem.

Additional context We use this image in our ci workflows and ci is a major point of exploitation.

bjohnso5 commented 3 weeks ago

We've cut a new image tag 2024.08 built against the latest ubuntu 22.04 cimg/base, and with some updated tooling. Please run your scan on that image and see if it closes the vulnerabilities you have reported.