Security issues in official ruby 2.3.1 image - Quay Scan

[sidd-kulk]

[sidd-kulk]

Even Docker image 2.3.8 has some 30+ High vulnerabilities. What is the usual community practice for this?

[wglambert]

See docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, #117, #94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[tianon]

I did a quick check on the latest ruby:2.3 image (we only support/rebuild the latest release, same as Ruby upstream), which is currently ruby:2.3.8, and there are a couple that will be fixed the next time we rebuild Debian, but none that jumped out at me as being particularly severe (packages: mariadb-10.1, perl, tiff, openssl).

If I look instead at ruby:2.3-slim, the list is much shorter and only includes a couple from perl and openssl (which again, will also be fixed by the next Debian base image update).

If any of these are truly affecting the use case of software running in Docker, we'll be happy to reevaluate and see about doing a rebuild sooner (although in that case it'll likely affect other images like PHP and Python as well, so we'll likely do a larger rebuild in that instance anyhow).

[tianon]

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves