Vulnerability in almost all the images

[MirakuSan]

The docker hub vulnerability checkup seems to find vulnerabilities in almost all the existing images, even the most recents ones.

Example with php:8.2-alpine3.16 : https://hub.docker.com/layers/library/php/8.2-alpine3.16/images/sha256-8a68231a27ed75b0f476e046d7e25dff6e1bbb19292c1f555c36ef96c0331ff2?context=explore

Is the issue already been declared ?

Thanks a lot

[yosifkit]

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

---

As a side note, we are working on creating a process for Docker Official Images to selectively build outside of a Dockerfile change or parent image rebuild (since some upstream base images don't rebuild often, and some are now building reproducibly so don't trigger a rebuild).

[tianon]

All supported images have since been rebuilt. :+1: