search

nodejs / docker-node

Official Docker Image for Node.js :whale: :turtle: :rocket:
https://hub.docker.com/_/node/
MIT License
8.13k stars 1.95k forks source link

Upgrade Base Images to remove vulnerabilities #2080

Closed kevinstory closed 1 month ago

kevinstory commented 1 month ago

Problem

Some of the Dockerfiles have an apt-get update && apt-get install .... but this will rely on the base image not having any vulnerabilities. I would suggest adding in an upgrade statement to update the base image to remove these vulnerabilities.

Example: https://github.com/nodejs/docker-node/blob/0fe0a462d24a254fbe870e64494123fca77fa49e/21/bookworm-slim/Dockerfile#L20

Solution

Change code to reflect something like this:

apt-get update && apt-get upgrade -y && apt-get install ....

Alternatives to Consider

open to suggestions / feedback!

LaurentGoderre commented 1 month ago

We don't need to do upgrade because when the base image is updated then these one are rebuilt with the change.

kevinstory commented 1 month ago

Thank you for the quick reply! I had to rebuild the node:21-bookworm-slim image today because the base Debian image contained a vulnerability and has not been recreated for 14 days and thus failed our pipeline. I assume Debian will eventually update their image but in the meantime, adding the upgrade -y resolved this for me.

yosifkit commented 1 month ago

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

nschonni commented 1 month ago

This is also explained in https://github.com/nodejs/docker-node/blob/main/SECURITY.md