search

aspnet / aspnet-docker

[Archived] ASP.NET Core Docker images for 1.x. Go to https://github.com/dotnet/dotnet-docker for 2.1 and up.
https://asp.net
719 stars 171 forks source link

2.0-jessie image got critical vulnerable during docker hub security scan #344

Closed wsun4ipipeline closed 6 years ago

wsun4ipipeline commented 6 years ago

Steps to reproduce the issue

1.push the docker image microsoft/aspnetcore:2.0.4-jessie to hub.docker 2.check the tag tap for security scan result after couple hours when the result available

Expected behavior

no critical vulnerable

Actual behavior

20 of 239 components are vulnerable

Output of docker hub security scan

ADD file:1dd78a123212...c3c92b63b73d8d1 in / 
Compressed size: 50.2MB

13 vulnerable components 

/bin/sh -c apt-get up... /var/lib/apt/lists/*
Compressed size: 17.7MB

6 vulnerable components 

/bin/sh -c for versio...tore.tar.gz; done
Compressed size: 32.8MB

1 vulnerable component
natemcmaster commented 6 years ago

cc @MichaelSimons ideas?

wsun4ipipeline commented 6 years ago

and I tried scan 2.0.4-stretch too, it also has 27 vulnerable. `ADD file:eb2519421c97...4d2ddb7de69e52a in / Compressed size: 43.0MB 13 vulnerable components

/bin/sh -c apt-get up... /var/lib/apt/lists/*Compressed size: 21.8MB 13 vulnerable components

/bin/sh -c for versio...tore.tar.gz; doneCompressed size: 32.8MB 1 vulnerable component `

if those unix componets is not used by asp.net core framework, Could you build a 'clean version ' by removing them, and let the end user installed in their docker file if they need them.

MichaelSimons commented 6 years ago

@wsun4ipipeline - would you move this issue to the dotnet/dotnet-docker repo? The vulnerabilities reside in the base layers of the aspnetcore images - e.g. microsoft/dotnet and the base OS.

natemcmaster commented 6 years ago

This issue was moved to dotnet/dotnet-docker#353