Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE’s in base Postgres image #701

Closed
4everinbeta opened this issue Mar 19, 2020 · 3 comments
Closed

CVE’s in base Postgres image #701

4everinbeta opened this issue Mar 19, 2020 · 3 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@4everinbeta
Copy link

I just ran this image through my company's blackduck container scan and the following CVE's were detected. Let me know what other information is needed to make this an effective issue report.

libidn2

runc

libsecomp

berkeleydb

kerberos

tar

glibc

shadow

gnupg

selinux

procps

@wglambert wglambert added the question Usability question, not directly related to an error with the image label Mar 19, 2020
@wglambert
Copy link

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And #286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, #286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

@4everinbeta
Copy link
Author

Thank you @wglambert that makes sense. Unfortunately my company doesn't allow any containers to be used that have any reported severe or high cve's. :(

@yosifkit
Copy link
Member

Here, I linkified the CVE's to Debian's bug tracker (since postgres images are based on Debian). As @wglambert mentioned, all of these are not even applicable vulnerabilities since the package isn't installed or is already fixed, so you may want to report that to your scanner.

libidn2

runc (ummm, runc or lxc are not installed in the postgres image)

libsecomp

berkeleydb: "NOT-FOR-US: Oracle Berkeley DB (later closed source releases)"

kerberos: "NOT-FOR-US: Data pre-dating the Security Tracker"

tar

glibc

shadow

gnupg

selinux

procps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Development

No branches or pull requests

3 participants