Resolve critical and high vulnerabilities in node:lts-bookworm base image

Question

Resolve critical and high vulnerabilities in node:lts-bookworm base image

rn185124 opened this issue 2 months ago · comments

Revathi Nagisetti commented 2 months ago

Description

We would like to use node:lts-bookworm as base image for our container and we noticed vulnerabilities there.

https://hub.docker.com/layers/library/node/lts-bookworm/images/sha256-af8b41b667b09df18a86d09146cca71a61dfae57bb2da3620844e53b5f4c8e2a?context=explore

It would be great if you resolve them.

Reproduce

https://hub.docker.com/layers/library/node/lts-bookworm/images/sha256-af8b41b667b09df18a86d09146cca71a61dfae57bb2da3620844e53b5f4c8e2a?context=explore

Expected behavior

No critical and high vulnerabilities are expected in node:lts-bookworm base image.

Laurent Goderre · Answer 1 · Tue Jun 04 2024 22:58:03 GMT+0800 (China Standard Time)

You could switch to using the bookworm-slim variant which don't have those. You could even use multistage build to use the non slim for building and copying the result into the slim variant.

Sebastiaan van Stijn · Answer 2 · Wed Jun 05 2024 00:40:53 GMT+0800 (China Standard Time)

FWIW; looks like those vulnerabilities are not yet patched by upstream debian, so there's not packages available there yet;

(also see https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves)

Revathi Nagisetti · Answer 3 · Fri Jun 07 2024 18:54:34 GMT+0800 (China Standard Time)

Hi @LaurentGoderre , We have tried multistage build and used bookworm-slim for final result. However, we have seen vulnerabilities in JFrog XRay platform.

I am attaching those vulnerabilities here and targeting to resolve critical and high vulnerabilities.

Could you please help on this to proceed further?

Docker_launchpad_version-1.21.0-3023-PR.769_rn185124@ncr.com_2024-06-07.zip

Sebastiaan van Stijn · Answer 4 · Fri Jun 07 2024 19:08:59 GMT+0800 (China Standard Time)

The official images use the upstream (debian in this case) packages; if there's vulnerabilities in those packages, those would have to be fixed by the debian maintainers and packagers; once updates are available in the debian package repositories, those will be included in the next build of the official images, but before that, there's not much that the maintainers of the official images can do.

I would recommend checking the status for those CVEs in debian's security tracker; here's the links to the "critical" ones from your report, but the pattern is the same for the other ones;

Note that some of those will have an issue linked in their issue tracker, which may contain more information about the current status (which may in some cases be that the debian maintainers decided to reject the CVE or decided not to patch).

Tianon Gravi · Answer 5 · Sat Jun 08 2024 01:36:38 GMT+0800 (China Standard Time)

See also the "Notes" field at the bottom of each of those links, which contains comments from the Debian Security Team (usually about why it's not fixed / not believed to be an issue worth fixing urgently).

[bookworm] - openexr <no-dsa> (Minor issue)
[bullseye] - openexr <not-affected> (Only affects 3.x)
[buster] - openexr <not-affected> (Only affects 3.x)

("no-dsa" is effectively "wontfix" but leaving the door open for another debian maintainer to fix it if they believe they can do so within the constraints of debian stable)

Again, please read https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves