-
Notifications
You must be signed in to change notification settings - Fork 222
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Scan. Critical Issues in used base image #175
Comments
The actual trivy report of the rocket.chat image lists 5 critical and 47 high vulnerabilities. https://trivy.dev/results/?image=rocket.chat:latest Some can be easily fixed. Others may not be exploitable. I would like to suggest that rocket.chat fixes the solvable problems. For vulnerabilities that cannot be exploited, rocket.chat could provide a cve-whitelist. |
I would like to suggest that a multistage build (https://docs.docker.com/build/building/multi-stage/) is better used or at least the build dependencies that are not needed (e.g. g++ make) are deleted from the image in a cleanup step. In a further iteration to a secure image could be switched to an alpine-based image. But step by step. Surely the change to the newest base image and the deletion of unneeded build dependencies from the image would be very helpful. Both (multistage builds and deleting unneeded packages) are also recommended in the docker image best practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ |
I did some research and saw that there is another repo on docker-hub (https://hub.docker.com/r/rocketchat/rocket.chat). There other base images are used and there are also newer versions. But there are also some vulnerabilities found (4 critical and 29 high rocket.chat:5.3.4-alpine and 9 critical and 49 high rocket.chat:5.3.4). It is currently not clear to me why this repo here (Docker.Offical.Images) is not updated anymore. |
We do automated security scans in our k8s cluster and the rocket.chat docker throws critical securing issues, coming from vulnerable packages used in the underlying base Linux image (Debian) this is also the case for latest builds (6days ago) rocket.chat Image 4.8.6
One example debians dpkg is installed in version 1.20.9 which is vulnerable and fixed in version 1.20.10
The text was updated successfully, but these errors were encountered: