All geek questions in one place

Why are there so many docker images with vulnerabilities?

I spent some time exploring the docker site on hub.docker.com, and I was terrified of the number of vulnerabilities in the official images that I wanted to use in my project.

Like now (02/27/2012)

So my questions will be as follows:

1) What is the reason for such a huge number of vulnerable images?

2) How to decide when it is safe to use such a vulnerable image (in accordance with Docker Security Scanning) or is it better to wait for an official fix?

Important update: it seems that you need to log in to the Docker Hub to see the "This image has vulnerabilities" error messages. Here was a screenshot for the Nginx repo:

Dginx docker tags tag page

+5
source share
1 answer

According to https://docs.docker.com/docker-cloud/builds/image-scan/

Scan compares the SHA of each component with the Common Vulnerabilities and Exposures (CVE®) database

This means that vulnerabilities may not be in the image itself, but in the component (for example, known OpenJDK vulnerabilities). Maybe the version of the component is outdated and not yet updated, or that this vulnerability is known, but not yet fixed in the latest version.

It is likely, however, that you will not use features with vulnerabilities. Probably the best idea is to design to check for known vulnerabilities in the components that you use, and make sure that you are not using any features with unmanaged vulnerabilities.

+5
source

Source: https://habr.com/ru/post/1264768/

More articles: