search

serversideup / docker-php

🐳 Production-ready Docker images for PHP. Optimized for Laravel, WordPress, and more!
https://serversideup.net/open-source/docker-php/
GNU General Public License v3.0
1.65k stars 108 forks source link

I encountered issues with some vulnerabilities but couldn't find a way to update the dependencies. #348

Closed hoangtrung99 closed 3 months ago

hoangtrung99 commented 3 months ago

Affected Docker Images

serversideup/php:8.2-fpm-nginx-v2.2.1

Docker Labels of the affected images

No response

Current Behavior

I use AWS Inspector and receive notifications about vulnerabilities, but I have found a way to update dependencies to fix those vulnerabilities. See the picture below ↓

Expected Behavior

I'm using v2 and it seems there's no way to update the Ubuntu base image, right? For some reasons, I can't switch to V3 at the moment.

Steps To Reproduce

This is my docker file

FROM serversideup/php:8.2-fpm-nginx-v2.2.1

ENV PHP_DATE_TIMEZONE Asia/Tokyo
ENV SSL_MODE off
ENV AUTORUN_ENABLED true
ENV AUTORUN_LARAVEL_MIGRATION true
ENV PHP_PM_MAX_CHILDREN 40

COPY ./docker/php/php.ini /usr/local/etc/php/php.ini
COPY ./docker/nginx/nginx.conf /etc/nginx/nginx.conf
# register s6 services
COPY ./docker/s6/services/queue /etc/s6-overlay/s6-rc.d/queue/
COPY ./docker/s6/user/ /etc/s6-overlay/s6-rc.d/user/

COPY --chown=$PUID:$PGID . /var/www/html

RUN composer install --no-cache --no-dev --no-scripts --no-autoloader --ansi --no-interaction \
    && composer dump-autoload -o

Host Operating System

AWS ECS

Docker Version

I use AWS ECR and AWS ECS.

Anything else?

Arc_2024-05-02 22:46:06 image image

sneycampos commented 3 months ago

You can't run apk update / apk upgrade?

hoangtrung99 commented 3 months ago

You can't run apk update / apk upgrade?

I've considered this, but it causes the build time to increase significantly.

minkbear commented 3 months ago

@hoangtrung99

What about this?

https://serversideup.net/open-source/docker-php/docs/getting-started/upgrade-guide#updating-the-docker-images-on-your-own

hoangtrung99 commented 3 months ago

@hoangtrung99

What about this?

serversideup.net/open-source/docker-php/docs/getting-started/upgrade-guide#updating-the-docker-images-on-your-own

@minkbear 

RUN apt-get update \
    && apt-get upgrade -y \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* **/usr/share/doc/***

If we do this, it will significantly increase the image build time, so my temporary solution is:

RUN apt-get update \
    && apt-get install -y perl libde265-0 \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*
sneycampos commented 3 months ago

I really don't think this type of "problem" should be issued to serversideup... update, upgrade etc should be done by the consumer. In every release, maybe, the image will be updated to the latest dependencies but don't think this needs a release just for this type of update

hoangtrung99 commented 3 months ago

I really don't think this type of "problem" should be issued to serversideup... update, upgrade etc should be done by the consumer. In every release, maybe, the image will be updated to the latest dependencies but don't think this needs a release just for this type of update

I got it, I don't understand why Ubuntu is not getting the latest updates every time a new image is built.