Closed bighb69738 closed 2 years ago
7.0.4
was recently added 4 days ago, it's fully up to date with the latest packages from the apk repos
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28931 is still reserved
Four results with no informational links. What scanner are you using?
$ docker run -it --rm redis:7.0.4-alpine ash
Unable to find image 'redis:7.0.4-alpine' locally
7.0.4-alpine: Pulling from library/redis
530afca65e2e: Already exists
c550a3118f41: Pull complete
9b28aced8b95: Pull complete
ee366e72c8f0: Pull complete
4dc43047334c: Pull complete
940560b1b15a: Pull complete
Digest: sha256:f23b1e963e2122ce4de6c40ffd105b60ccfa62bf0134585d3109f5caf691b5b3
Status: Downloaded newer image for redis:7.0.4-alpine
/data # apk update && apk -u list && apk upgrade --simulate
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.16/community/x86_64/APKINDEX.tar.gz
v3.16.1-5-ge692d8f074 [https://dl-cdn.alpinelinux.org/alpine/v3.16/main]
v3.16.1-20-g112d29a88c [https://dl-cdn.alpinelinux.org/alpine/v3.16/community]
OK: 17026 distinct packages available
OK: 9 MiB in 17 packages
See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011, https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.
A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).
@wglambert Sorry, the correct CVE id is CVE-2022-30065 and CVE-2022-28391. I used Whitesource to scan redis:7.0.4-alpine image, and it found the high saverity vulnerabilities library from busybox-1.35.0-r15.apk.
The busybox package is fully up to date so there's nothing actionable we can do, in about a month the image will be updated and rebuilt on its usual cadence so maybe they'll have patches for those. They don't seem particularly relevant to the this image's environment and usage.
I would make sure your redis image isn't publicly accessible and you've read https://github.com/docker-library/docs/tree/master/redis#security then you shouldn't have any worries
Hi all: I tried to use the latest image redis:7.0.4-alpine. But there is a High saverity vulnerabilities when the image was scaned.
These High saverity vulnerabilities:
Library:busybox-1.35.0-r15.apk Vulnerability id : CVE-2022-3006, CVE-2022-28931
How to fix it?