Security vulnerabilities

[danieljwilson]

I noticed that there are some high level vulnerabilities on the latest image.

Is this cause for concern? I am about to submit a project proposal to a Research Ethics Board and felt like I should know what these vulnerabilities actually mean in terms of data security. Is it a matter of updating the packages?

[vsoch]

We could definitely do a PR with suggested updates, the builder-base Dockerfile is here https://github.com/expfactory/expfactory/tree/master/expfactory/templates/build/docker/builder-base and then that is bootstrapped by https://github.com/expfactory/expfactory/blob/master/expfactory/templates/build/docker/builder/Dockerfile.

Let me give it a quick shot and push a test image, and then we can see if the analysis improves. If not, I'll share the changes and you can take a shot, and if it does, then I can open a PR and see if anything is broken (and you can further test too). Sound good?

[vsoch]

Also, I'm going to transfer this issue to expfactory/expfactory - this expfactory-docker repository is for the Poldracklab deployed version of expfactory.org.

[danieljwilson]

Great, thanks for the quick response!

[vsoch]

okay, I've pushed a test image, the same repository with tag test-12-9-2020 (at the top) and it looks like the security scan is green! Do you want to take it for a spin to see if it works as you'd expect? If it looks good to you, I'll open a PR with the changes.

[vsoch]

Oops one second, I didn't build the image from the branch that is now for PR. Give me a second to build again!

[vsoch]

okay, all set.

[danieljwilson]

Great, have a meeting and will test afterwards!

[danieljwilson]

Seems like it worked (though keep in mind this is my second day using expfactory)...

[vsoch]

No worries! We have basic tests in the CI (and they have passed) and I'm of the opinion that it's better to release often, and we can address any issues that might arise.

[vsoch]

Issues fixed, closing issue.