RocketChat / Docker.Official.Image

Docker hub - community managed image
306 stars 216 forks source link

Security Scan. Critical Issues in used base image #175

Open timomayer opened 2 years ago

timomayer commented 2 years ago

We do automated security scans in our k8s cluster and the rocket.chat docker throws critical securing issues, coming from vulnerable packages used in the underlying base Linux image (Debian) this is also the case for latest builds (6days ago) rocket.chat Image 4.8.6

One example debians dpkg is installed in version 1.20.9 which is vulnerable and fixed in version 1.20.10

devops-d4 commented 1 year ago

The actual trivy report of the rocket.chat image lists 5 critical and 47 high vulnerabilities.

https://trivy.dev/results/?image=rocket.chat:latest

Some can be easily fixed. Others may not be exploitable. I would like to suggest that rocket.chat fixes the solvable problems. For vulnerabilities that cannot be exploited, rocket.chat could provide a cve-whitelist.

devops-d4 commented 1 year ago

I would like to suggest that a multistage build (https://docs.docker.com/build/building/multi-stage/) is better used or at least the build dependencies that are not needed (e.g. g++ make) are deleted from the image in a cleanup step. In a further iteration to a secure image could be switched to an alpine-based image. But step by step. Surely the change to the newest base image and the deletion of unneeded build dependencies from the image would be very helpful.

Both (multistage builds and deleting unneeded packages) are also recommended in the docker image best practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/

devops-d4 commented 1 year ago

I did some research and saw that there is another repo on docker-hub (https://hub.docker.com/r/rocketchat/rocket.chat). There other base images are used and there are also newer versions. But there are also some vulnerabilities found (4 critical and 29 high rocket.chat:5.3.4-alpine and 9 critical and 49 high rocket.chat:5.3.4). It is currently not clear to me why this repo here (Docker.Offical.Images) is not updated anymore.