Docker Image - Vulnerability Remediation Policies

[tmack-tfa]

I am noticing that rocker/rstudio images have a number of vulnerabilities that are detected by image scanning tools. For example, scanning the rocker/rstudio:4.0.3 image with the aquasec/trivy scanner (version 0.12.0) detects 3 "High" severity vulnerabilities:

$ docker run --rm -v $HOME/Library/Caches:/root/.cache/ aquasec/trivy  --severity=CRITICAL,HIGH rocker/rstudio:4.0.3
2020-12-11T15:20:19.568Z    INFO    Detecting Ubuntu vulnerabilities...

rocker/rstudio:4.0.3 (ubuntu 20.04)
===================================
Total: 3 (HIGH: 3, CRITICAL: 0)

+------------+------------------+----------+-------------------+-------------------+--------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |   FIXED VERSION   |             TITLE              |
+------------+------------------+----------+-------------------+-------------------+--------------------------------+
| libssl-dev | CVE-2020-1971    | HIGH     | 1.1.1f-1ubuntu2   | 1.1.1f-1ubuntu2.1 | The X.509 GeneralName          |
|            |                  |          |                   |                   | type is a generic type         |
|            |                  |          |                   |                   | for representing different     |
|            |                  |          |                   |                   | types...                       |
+------------+                  +          +                   +                   +                                +
| libssl1.1  |                  |          |                   |                   |                                |
|            |                  |          |                   |                   |                                |
|            |                  |          |                   |                   |                                |
|            |                  |          |                   |                   |                                |
+------------+                  +          +                   +                   +                                +
| openssl    |                  |          |                   |                   |                                |
|            |                  |          |                   |                   |                                |
|            |                  |          |                   |                   |                                |
|            |                  |          |                   |                   |                                |

I know that not all image vulnerabilities are applicable for example, kernel level vulnerabilities don't apply because Docker uses hosts kernel but does rocker have policies for detecting and remediating image vulnerabilities? Thanks

[cboettig]

Thanks for checking in.

We follow Ubuntu LTS upstream repos (similarly the debian-based r-base stack pulls from debian upstream). You might be interested in https://ubuntu.com/security.

Images are rebuilt regularly to pull in security updates; of course users can apt-get update on their own containers as well. e.g.

docker --rm -ti rocker/rstudio:4.0.3 bash
apt-get update && apt-get upgrade -y

will I believe pull the recently patched versions. Rebuilding the our images from their dockerfiles likewise pulls in these updates. At the moment we don't have a cron job automating these builds, things have been a bit in flux, but hope to have semi-weekly builds before too long.

Because images are regularly rebuilt, It's helpful to note the hash of the image you pulled so we can tell which rocker/rstudio:4.0.3 you pulled (or better, check docker inspect so you can tell when it was last built). For example, it looks like this vulnerability was patched upstream in ubuntu on Dec 2nd.

HTH

[eddelbuettel]

Also, and to put a somewhat grossly simplified spin on things, "we do not do anything here" as we mostly just re-arrange binaries from Ubuntu, or Debian, or third-parties (in the case of RStudio products) in already compiled form and then mostly just neatly rearrange them properly tagged for use by others.

Hence, as Carl already said, you really need to swim upstream to see how Debian and Ubuntu handle this. Which is actually ... pretty well! So we benefit from rebuilt and update binaries just as other "downstream" users do.

But we appreciate you looking into this.

[tmack-tfa]

Thank you for looking into this @eddelbuettel and @cboettig. Your comments are very helpful, I will swim upstream for the next steps.