Medium and Low security vulnerabilities

Question

Medium and Low security vulnerabilities

avineer opened this issue 3 years ago · 1 comments

We are using bitnami/minideb:buster image and we get the following medium and low severity security issues.

https://security-tracker.debian.org/tracker/CVE-2021-37600 (low)
https://security-tracker.debian.org/tracker/CVE-2019-13627 (low)

We have a requirement to eliminate medium and low, security vulnerabilities.
Can you comment on a timeline to address these security vulnerabilities in bitnami/minideb:buster ?

Answer 1 · 2021-12-15T17:40:00.000Z

The bitnami/minideb image is built on a daily basis in order to include the latest version of the installed Debian packages. In the DockerHub repo, you can see the release cadence of the different tags.

There are some system packages included in the Debian distro that contain some CVEs without a provided fix, in this case, we can't do anything until there is a new version of the system package with the fix.

You can check this topic by running a CVE scanner with and without the --ignore-unfixed flag:

$ trivy image bitnami/minideb:buster
2021-12-15T17:37:49.165Z	INFO	Detected OS: debian
2021-12-15T17:37:49.165Z	INFO	Detecting Debian vulnerabilities...
2021-12-15T17:37:49.171Z	INFO	Number of language-specific files: 0

bitnami/minideb:buster (debian 10.11)
=====================================
Total: 106 (UNKNOWN: 0, LOW: 74, MEDIUM: 9, HIGH: 19, CRITICAL: 4)

$ trivy image --ignore-unfixed bitnami/minideb:buster
2021-12-15T17:38:27.995Z	INFO	Detected OS: debian
2021-12-15T17:38:27.995Z	INFO	Detecting Debian vulnerabilities...
2021-12-15T17:38:28.001Z	INFO	Number of language-specific files: 0

bitnami/minideb:buster (debian 10.11)
=====================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

As you can see, when using the --ignore-unfixed flag, there are no CVEs reported. In the above example, I'm using Trivy as scanner, but same result should appear using any other scanner.