Container images pushed to Dockerhub are changing checksums without changing version

Question

Container images pushed to Dockerhub are changing checksums without changing version

Closed this issue 2 years ago · 3 comments

Describe the bug

Container images pushed to Dockerhub are changing checksums without changing version. For example, our tooling caught the following change for 1.25.4:

nginxinc/nginx-unprivileged:1.25.4@sha256:776c8ad8510a8f883b772667d46bad227f49848347a047f6de0965dd48982cb -> nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f

This is pretty concerning from a security perspective, and does not follow semver. Changing the image contents without bumping the image version is often an indicator of a malicious change, although it doesn't seem to be the case with this specific change.

I ran container-diff against both images. Here's the results:

$ container-diff diff nginxinc/nginx-unprivileged:1.25.4@sha256:776c8ad8510a8f883b772667d46bad227f49848347a047f6de0965dd48982cb8 nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f --type=history --type=file --type=size

-----File-----

These entries have been added to nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f: None

These entries have been deleted from nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f: None

These entries have been changed between nginxinc/nginx-unprivileged:1.25.4@sha256:776c8ad8510a8f883b772667d46bad227f49848347a047f6de0965dd48982cb8 and nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f:
FILE                                          SIZE1        SIZE2
/var/log/dpkg.log                             45.8K        45.8K
/var/log/apt/term.log                         24.9K        24.9K
/var/cache/ldconfig/aux-cache                 13.3K        13.3K
/var/log/apt/eipp.log.xz                      6.4K         6.4K
/var/log/apt/history.log                      4.6K         4.6K
/etc/shadow                                   494B         494B
/etc/shadow-                                  474B         474B
/etc/apt/sources.list.d/debian.sources        443B         443B


-----History-----

Docker history lines found only in nginxinc/nginx-unprivileged:1.25.4@sha256:776c8ad8510a8f883b772667d46bad227f49848347a047f6de0965dd48982cb8:
-/bin/sh -c #(nop) ADD file:eb6a3def1f69e76655620640e610015f285bc23c97e89855feb1f0548309d518 in /


Docker history lines found only in nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f:
-/bin/sh -c #(nop) ADD file:b86ae1c7ca3586d8feedcd9ff1b2b1e8ab872caf6587618f1da689045a5d7ae4 in /


-----Size-----

Image size difference between nginxinc/nginx-unprivileged:1.25.4@sha256:776c8ad8510a8f883b772667d46bad227f49848347a047f6de0965dd48982cb8 and nginxinc/nginx-unprivileged:1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f: None

Based off of this I would guess that new container images are being automatically pushed when something like a tooling only update is merged to master. However, as the produced artifacts are different, the minor version should really be bumped per semver. An alternative solution would be to offer an image tag that is pinned and never moves.

To reproduce

Verify that the two mentioned images exist with different checksums

Your environment

Version of the NGINX Unprivileged Docker image: 1.25.4@sha256:776c8ad8510a8f883b772667d46bad227f49848347a047f6de0965dd48982cb8, 1.25.4@sha256:898edc719ceb92b89dbd9ced9f2c57986731d6aa90346137a05817ea255a506f
Target deployment environment/platform: All/platform independent

Additional context

Does this security vulnerability relate to one of the NGINX libraries specified in the SECURITY doc?

No

Answer 1 · 2024-03-22T01:01:29.000Z

Hi @fheinecke, the images are getting rebuilt on a regular cadence to pick up changes from the base images/repos fixing possible CVEs.

This also happens with Docker Official Library ones, without changing the actual tag, see the following:

https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves

"These refreshed base images also means that any other image in the Official Images program that is FROM them will also be rebuilt (as described in the project README.md file)."

https://github.com/docker-library/official-images#library-definition-files

"Tags in the library file are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built)."

Answer 2 · 2024-03-22T01:02:20.000Z

That said, If you need to use a really specific version, you can always use the sha id of the image.

Answer 3 · 2024-03-22T01:07:31.000Z

Relevant discussion in nginx/docker-nginx#307, too.