Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Daily/weekly images for closing CVEs #718

Open
Ninos opened this issue Jan 14, 2025 · 2 comments
Open

Daily/weekly images for closing CVEs #718

Ninos opened this issue Jan 14, 2025 · 2 comments

Comments

@Ninos
Copy link

Ninos commented Jan 14, 2025

Current mongo:latest (1 months old) has some critical CVE's which should be fixed upstream:
https://hub.docker.com/layers/library/mongo/latest/images/sha256-3f04076470ff9110ce77473afe54c549feaca994a29bc5ff01a549bf340acf8c

Re-building mongo:latest every day/week should fix most of CVE's. In gitlab you can define scheduled pipelines, may you can use something like that also in github.

PS: If possible, please update also the go-packages, especially golang.org/x/crypto 0.25.0 (has also a critical cve). Tried to update with poetry & bazel for a MR to main repo, but seems not so easy (some dependency conflict)...
@LaurentGoderre
Copy link
Member

Those are false positive. See https://github.com/tianon/gosu/blob/master/SECURITY.md

@LaurentGoderre LaurentGoderre mentioned this issue Jan 21, 2025
Closed
@yosifkit
Copy link
Member

yosifkit commented Jan 21, 2025
edited
Loading

If there are any other updates from OS packages, they will be address at the next Dockerfile change (like version bump) or base image update.

Edit: for example, the CVE's existing in the base ubuntu:24.04 image would need to be addressed by a new, updated Ubuntu 24.04 image. Just rebuilding from the mongo Dockerfiles would be unlikely to affect any of them. It has been a month since the last Ubuntu image update, so I expect one very soon.

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bullseye would be rebuilt when debian:bullseye is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yosifkit @Ninos @LaurentGoderre