carrodher
commented
2 years ago The bitnami/minideb image is built on a daily basis in order to include the latest version of the installed Debian packages. In the DockerHub repo, you can see the release cadence of the different tags.
There are some system packages included in the Debian distro that contain some CVEs without a provided fix, in this case, we can't do anything until there is a new version of the system package with the fix.
You can check this topic by running a CVE scanner with and without the --ignore-unfixed flag:
$ trivy image bitnami/minideb:buster
2021-12-15T17:37:49.165Z INFO Detected OS: debian
2021-12-15T17:37:49.165Z INFO Detecting Debian vulnerabilities...
2021-12-15T17:37:49.171Z INFO Number of language-specific files: 0
bitnami/minideb:buster (debian 10.11)
=====================================
Total: 106 (UNKNOWN: 0, LOW: 74, MEDIUM: 9, HIGH: 19, CRITICAL: 4)
$ trivy image --ignore-unfixed bitnami/minideb:buster
2021-12-15T17:38:27.995Z INFO Detected OS: debian
2021-12-15T17:38:27.995Z INFO Detecting Debian vulnerabilities...
2021-12-15T17:38:28.001Z INFO Number of language-specific files: 0
bitnami/minideb:buster (debian 10.11)
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)As you can see, when using the --ignore-unfixed flag, there are no CVEs reported. In the above example, I'm using Trivy as scanner, but same result should appear using any other scanner.
We are using bitnami/minideb:buster image and we get the following medium and low severity security issues.
https://security-tracker.debian.org/tracker/CVE-2020-19499 (medium) https://security-tracker.debian.org/tracker/CVE-2021-3712 (medium) https://security-tracker.debian.org/tracker/CVE-2020-27560 (medium) https://security-tracker.debian.org/tracker/CVE-2020-19498 (medium) https://security-tracker.debian.org/tracker/CVE-2020-27769 (medium) https://security-tracker.debian.org/tracker/CVE-2020-27768 (medium) https://security-tracker.debian.org/tracker/CVE-2020-10251 (medium) https://security-tracker.debian.org/tracker/CVE-2019-12973 (medium) https://security-tracker.debian.org/tracker/CVE-2021-29338 (medium) https://security-tracker.debian.org/tracker/CVE-2020-14155 (medium) https://security-tracker.debian.org/tracker/CVE-2017-16932 (medium) https://security-tracker.debian.org/tracker/CVE-2021-37750 (medium)
https://security-tracker.debian.org/tracker/CVE-2021-37600 (low) https://security-tracker.debian.org/tracker/CVE-2019-13627 (low)
We have a requirement to eliminate medium and low, security vulnerabilities. Can you comment on a timeline to address these security vulnerabilities in bitnami/minideb:buster ?