"This image has vulnerabilities" on Docker Hub #46
Comments
|
👍 |
|
Is there any update on this? I'm seeing this for all the tags in the nodejs repo. |
|
We have to wait for any fixes to come through the Debian packaging. Sometimes, even though there is a CVE, the Debian security team does not think the vulnerability warrants a backport (like this and this). Even when there are fixes available, unless they are actually exploitable and foundational to many programs (like openssl), we hesitate to force a rebuild of all dependent images. On the other hand we strive to make sure exploitable vulnerabilities are fixed: see docker-library/official-images label:cve-tracker. If we take for example Sometimes there are false positive on the Docker Hub list as well. Like CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619 which apply to iOS, OSX, tvOS, watchOS, and iTunes on Windows, and CVE-2016-5131 which applies when using Google Chrome. We do periodically rebuild the base Debian and Ubuntu image on about a monthly time frame (and rebuild all dependent images), so any available fixes will naturally be installed. We just rebuilt Ubuntu today and plan to rebuild Debian next week. |
|
Thanks for the very thorough explanation, everything you mention makes sense. |
|
See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves for where this information has been finally combined into a more complete FAQ answer. |
No description provided.
The text was updated successfully, but these errors were encountered: