Azure/aztk

AZTK container has 338 CVEs

seanmmccormick opened this issue · 2 comments

In running a security scan of the AZTK container using Artifactory X-Ray, I find 338 CVEs. This is largely due to basically using a complete, desktop linux system.

For example, there are dozens of issues related to X.org libraries like this one:

Integer overflow in X.org libXfixes before 5.0.3 on 32-bit platforms might allow remote X servers to gain privileges via a length value of INT_MAX, which triggers the client to stop reading data and get out of sync.

I'm fairly certain spark doesn't use even a part of the X Window System for anything.

Could you start with a smaller image with less security surface area and build this on that?

Or, barring that, would you accept a patch that fixes this issue and allows spark to run in a lightweight container?

I'd hate to fail an enterprisy security screen for a 32-bit X-windows vulnerability. We need the $$$$

Yes, patches are encouraged, especially for security vulnerabilities. The AZTK containers are quite old at this point and need to be updated. Likely that will remove many of the CVEs, but likely not all.

Switching to a non-Ubuntu16.04 base image is an option, but it could break users. Adding an additional set of images that run in a lighterweight/more security sensitive distro would be a nice feature add in my opinion. What base image in particular are you interested in?