Images based on Alpine 3.9 don't pass vulnerability scanner #1374
Comments
|
The The .NET Core images get automatically rebuilt whenever a base image is updated. I confirmed the @camp-007, have you verified you don't have an older version of the 3.10 image production is blocked on test sign-off from the product teams. e.g. https://github.com/dotnet/coreclr/issues/26661 |
|
@camp-007 - Can you share the digest of the |
|
Yes, that digest matches the one I'm using However, I believe the problem is that the latest Alpine 3.9 images are still vulnerable. From looking at the Alpine issue, it appears they have only fixed the issue in their Alpine 3.10 image. I realize that this means that Thanks for linking to https://github.com/dotnet/coreclr/issues/26661. It seems that may be the root of the issue. I can post a comment in that issue to hopefully make it clear it is important from vulnerability patching perspective. |
|
FYI - .NET Core Alpine 3.10 images were released today. See the announcement for more details. |
|
Hello, same issue for 3.10 image |
|
@vitaliipanchenko - Have you run the scan on the alpine:3.10.3 tag? That's the base image being referenced in this release. |
|
The VSE-2019-14697 vulnerability still exists in the |
|
According to the alpine repo (alpinelinux/docker-alpine#34), CVE-2019-14697 was addressed/fixed in alpine 3.10. This matches what I'm seeing. Now scanning our images based on From my perspective, this issue is resolved. I very much appreciate the effort on getting the new alpine 3.10 images out. I will give the constructive feedback that in highly regulated enterprise environments, vulnerabilities found in the base images raise a lot of red flags and compliance issues. In this scenario it was frustrating that 1) Alpine 3.9 images weren't patched and/or 2) dotnet core images couldn't have alpine 3.10 variants in a quicker time-frame. |
|
@camp-007 - Thanks for the feedback. We've been working on updates to our process to get new versions published sooner. Docker images are at the top of the product stack so having new images available in response to a version update isn't going to be an immediate thing. But things should go better than with the Alpine 3.10 release; if not, call us out on it. |
|
Closing as 3.10 images are now available. |
Steps to reproduce the issue
mcr.microsoft.com/dotnet/core/runtime-deps:3.0-alpineproduces vulnerability warnings for CVE-2019-14697.Expected behavior
Latest asp.net core docker images should ideally remain patched and not report vulnerabilities if possible. Obviously the .net core images are dependent on their base official images. In this case it seems Alpine has addressed the vulnerability but did so in a minor version instead of a patch to 3.9 (See alpinelinux/docker-alpine#34).
If I understand the .net core tagging scheme, this means that
mcr.microsoft.com/dotnet/core/runtime-deps:3.0-alpinewill not automatically be patched, and that users will need to opt in to use anmcr.microsoft.com/dotnet/core/runtime-deps:3.0-alpine3.10image instead. Is that correct?I see that an alpine 3.10 based version is available in the nightly builds, is there an ETA for this image to be published in the official repo?
From what I can tell, it seems the alpine 3.10 image has been available for a couple of months (even though .net core 3.0 images were just barely released). Since it seems they fix vulnerabilities in minor version updates (instead of patches), what is the expected time-frame in which we can expect official .net core images to adopt new OS minor versions? Those of us in enterprise/corporate environments need to be able to build on .net core and still satisfy compliance policies. Our organization is still early in our adoption of .net core on docker and trying to put together our security policies, so forgive me if I'm misunderstanding the landscape and my expectations are unreasonable.
Thanks for any help or info you can provide!
The text was updated successfully, but these errors were encountered: