"This image has vulnerabilities" on Docker Hub
teohhanhui opened this issue ยท 6 comments
๐
Is there any update on this? I'm seeing this for all the tags in the nodejs repo.
We have to wait for any fixes to come through the Debian packaging. Sometimes, even though there is a CVE, the Debian security team does not think the vulnerability warrants a backport (like this and this).
Even when there are fixes available, unless they are actually exploitable and foundational to many programs (like openssl), we hesitate to force a rebuild of all dependent images. On the other hand we strive to make sure exploitable vulnerabilities are fixed: see docker-library/official-images label:cve-tracker.
If we take for example buildpack-deps:jessie, of the roughly 70 CVE's listed on the ~20 different components on the Docker Hub, there are fixes now for 4 packages that covers 17 CVEs. Of those, only two are "High" severity; one for curl that "We are not aware of any exploit of this flaw." (curl.haxx.se) and one for imagemagick, which doesn't look bad enough to cause a rebuild of images.
Sometimes there are false positive on the Docker Hub list as well. Like CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619 which apply to iOS, OSX, tvOS, watchOS, and iTunes on Windows, and CVE-2016-5131 which applies when using Google Chrome.
We do periodically rebuild the base Debian and Ubuntu image on about a monthly time frame (and rebuild all dependent images), so any available fixes will naturally be installed. We just rebuilt Ubuntu today and plan to rebuild Debian next week.
Thanks for the very thorough explanation, everything you mention makes sense.
See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves for where this information has been finally combined into a more complete FAQ answer.