"This image has vulnerabilities" on Docker Hub

[punkeel]

:+1:

[jmreicha]

Is there any update on this? I'm seeing this for all the tags in the nodejs repo.

[yosifkit]

We have to wait for any fixes to come through the Debian packaging. Sometimes, even though there is a CVE, the Debian security team does not think the vulnerability warrants a backport (like this and this).

Even when there are fixes available, unless they are actually exploitable and foundational to many programs (like openssl), we hesitate to force a rebuild of all dependent images. On the other hand we strive to make sure exploitable vulnerabilities are fixed: see docker-library/official-images label:cve-tracker.

If we take for example buildpack-deps:jessie, of the roughly 70 CVE's listed on the ~20 different components on the Docker Hub, there are fixes now for 4 packages that covers 17 CVEs. Of those, only two are "High" severity; one for curl that "We are not aware of any exploit of this flaw." (curl.haxx.se) and one for imagemagick, which doesn't look bad enough to cause a rebuild of images.

Sometimes there are false positive on the Docker Hub list as well. Like CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619 which apply to iOS, OSX, tvOS, watchOS, and iTunes on Windows, and CVE-2016-5131 which applies when using Google Chrome.

We do periodically rebuild the base Debian and Ubuntu image on about a monthly time frame (and rebuild all dependent images), so any available fixes will naturally be installed. We just rebuilt Ubuntu today and plan to rebuild Debian next week.

[jmreicha]

Thanks for the very thorough explanation, everything you mention makes sense.

[yosifkit]

Related issues: https://github.com/docker-library/postgres/issues/286 https://github.com/docker-library/openjdk/issues/112 https://github.com/docker-library/drupal/issues/84 https://github.com/docker-library/official-images/issues/2740 https://github.com/docker-library/ruby/issues/117 https://github.com/docker-library/ruby/issues/94 https://github.com/docker-library/python/issues/152 https://github.com/docker-library/php/issues/242

[tianon]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves for where this information has been finally combined into a more complete FAQ answer.