Image vulnerabilities

[damianoneill]

Are there any plans to update the images to remove the vulnerabilities identified here?

https://hub.docker.com/r/library/couchbase/tags/

[tleyden]

Cheers @damianoneill -- I'm not able to see the actual vulnerabilities. Do you happen to know how to get details on this?

[damianoneill]

Hi Traun if you login to the hub its available under the Tag tab, you need to login to see them (there only available for offical images).

I have attached screenshots showing the summary and details for one of the tags.

On 13 Jun 2017, at 18:42, Traun Leyden notifications@github.com wrote:

Cheers @damianoneill https://github.com/damianoneill -- I'm not able to see the actual vulnerabilities. Do you happen to know how to get details on this?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/couchbase/docker/issues/67#issuecomment-308193931, or mute the thread https://github.com/notifications/unsubscribe-auth/AOtkcsxLML5yg8u4tfwjfql2gUy3Uhg5ks5sDsobgaJpZM4N4O56.

[tleyden]

I see it now, thanks.

[tleyden]

Not sure why github didn't render the images in the last comment:

[ceejatec]

We do have a ticket, although it hasn't yet seen much action: https://issues.couchbase.com/browse/MB-23754

[tleyden]

Cheers @ceejatec -- I'm going to close this one in favor of https://issues.couchbase.com/browse/MB-23754 so we don't have duplicate tickets floating around.

@damianoneill Thanks again for reporting -- can you subscribe to updates to https://issues.couchbase.com/browse/MB-23754?

[damianoneill]

Hi Traun, unfortuately this issues link is not visible to me. Its suggested I need account access and to contact the JIRA Administrator. If I go to the issues page and search it doesnt find the issue name.

Damian.

On 14 Jun 2017, at 06:31, Traun Leyden notifications@github.com wrote:

Cheers @ceejatec https://github.com/ceejatec -- I'm going to close this one in favor of https://issues.couchbase.com/browse/MB-23754 https://issues.couchbase.com/browse/MB-23754 so we don't have duplicate tickets floating around.

@damianoneill https://github.com/damianoneill Thanks again for reporting -- can you subscribe to updates to https://issues.couchbase.com/browse/MB-23754 https://issues.couchbase.com/browse/MB-23754?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/couchbase/docker/issues/67#issuecomment-308323876, or mute the thread https://github.com/notifications/unsubscribe-auth/AOtkckz7BaA0vz8UQ3CWtGA8rvCoE4A7ks5sD3AUgaJpZM4N4O56.

[ceejatec]

Apologies, that ticket is marked Private and I hadn't noticed. You won't be able to see if even if you do get logged in.

For what it's worth, the majority of the vulnerabilities shown are from the underlying Ubuntu 14.04 base image, so there is a limited amount we can do about them. Our next major release will be available on Ubuntu 16.04 and we will also update the Docker image to be based on that Ubuntu release, so hopefully that will at least help. Of the reported vulnerabilities in libraries Couchbase itself depends on and provides, most will not be updated in the 4.6 line since they would require significant effort to adopt that is likely unreasonable for a patch release. Several of them are updated in our upcoming major release.

[tleyden]

@damianoneill Thanks for heads up! I'll re-open this so that you and other interested parties can track the status. Hopefully it will get a huge leap in our next major release as @ceejatec mentioned.

[damianoneill]

Hi Chris thanks for the detailed response. As you say moving to 16.04 will improve the vunerability count, but wont eliminate it. There are a few other options that could be considered.

• Removing from the base, software that is not used, Ubuntu base contains a lot of software removing this will reduce the attack footprint.
• Install package updates in your image build process
• Consider using some of the vunerability analysis tools in your build process to identify any criticals that really must be addressed, there are now a few open source tools in this space that could be considered clair and vuls for your project.
• Consider using a base that is more security focused for e.g. alpine I'm sure you've noted the transition of a significant percentage of the offical images from just ubuntu to ubuntu and alpine offers, I had noted MB-20907 but it seems to be on the backlog since Sept 16.

Damian.

On 14 Jun 2017, at 07:23, Chris Hillery notifications@github.com wrote:

Apologies, that ticket is marked Private and I hadn't noticed. You won't be able to see if even if you do get logged in.

For what it's worth, the majority of the vulnerabilities shown are from the underlying Ubuntu 14.04 base image, so there is a limited amount we can do about them. Our next major release will be available on Ubuntu 16.04 and we will also update the Docker image to be based on that Ubuntu release, so hopefully that will at least help. Of the reported vulnerabilities in libraries Couchbase itself depends on and provides, most will not be updated in the 4.6 line since they would require significant effort to adopt that is likely unreasonable for a patch release. Several of them are updated in our upcoming major release.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/couchbase/docker/issues/67#issuecomment-308331292, or mute the thread https://github.com/notifications/unsubscribe-auth/AOtkciB5RMBx1D8yZEe_6qh2j6LBun5uks5sD3xOgaJpZM4N4O56.