-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image vulnerabilities #67
Comments
Cheers @damianoneill -- I'm not able to see the actual vulnerabilities. Do you happen to know how to get details on this? |
Hi Traun if you login to the hub its available under the Tag tab, you need to login to see them (there only available for offical images).
I have attached screenshots showing the summary and details for one of the tags.
![couchbase-d](https://user-images.githubusercontent.com/15426674/27096872-628755ea-506a-11e7-82e8-deca15e0e45b.png)
![couchbase-v](https://user-images.githubusercontent.com/15426674/27096882-68094550-506a-11e7-8c46-8c6285d61798.png)
… On 13 Jun 2017, at 18:42, Traun Leyden ***@***.***> wrote:
Cheers @damianoneill <https://github.com/damianoneill> -- I'm not able to see the actual vulnerabilities. Do you happen to know how to get details on this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#67 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AOtkcsxLML5yg8u4tfwjfql2gUy3Uhg5ks5sDsobgaJpZM4N4O56>.
|
I see it now, thanks. |
We do have a ticket, although it hasn't yet seen much action: https://issues.couchbase.com/browse/MB-23754 |
Cheers @ceejatec -- I'm going to close this one in favor of https://issues.couchbase.com/browse/MB-23754 so we don't have duplicate tickets floating around. @damianoneill Thanks again for reporting -- can you subscribe to updates to https://issues.couchbase.com/browse/MB-23754? |
Hi Traun, unfortuately this issues link is not visible to me. Its suggested I need account access and to contact the JIRA Administrator. If I go to the issues page and search it doesnt find the issue name.
Damian.
… On 14 Jun 2017, at 06:31, Traun Leyden ***@***.***> wrote:
Cheers @ceejatec <https://github.com/ceejatec> -- I'm going to close this one in favor of https://issues.couchbase.com/browse/MB-23754 <https://issues.couchbase.com/browse/MB-23754> so we don't have duplicate tickets floating around.
@damianoneill <https://github.com/damianoneill> Thanks again for reporting -- can you subscribe to updates to https://issues.couchbase.com/browse/MB-23754 <https://issues.couchbase.com/browse/MB-23754>?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#67 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AOtkckz7BaA0vz8UQ3CWtGA8rvCoE4A7ks5sD3AUgaJpZM4N4O56>.
|
Apologies, that ticket is marked Private and I hadn't noticed. You won't be able to see if even if you do get logged in. For what it's worth, the majority of the vulnerabilities shown are from the underlying Ubuntu 14.04 base image, so there is a limited amount we can do about them. Our next major release will be available on Ubuntu 16.04 and we will also update the Docker image to be based on that Ubuntu release, so hopefully that will at least help. Of the reported vulnerabilities in libraries Couchbase itself depends on and provides, most will not be updated in the 4.6 line since they would require significant effort to adopt that is likely unreasonable for a patch release. Several of them are updated in our upcoming major release. |
@damianoneill Thanks for heads up! I'll re-open this so that you and other interested parties can track the status. Hopefully it will get a huge leap in our next major release as @ceejatec mentioned. |
Hi Chris thanks for the detailed response. As you say moving to 16.04 will improve the vunerability count, but wont eliminate it. There are a few other options that could be considered.
- Removing from the base, software that is not used, Ubuntu base contains a lot of software removing this will reduce the attack footprint.
- Install package updates in your image build process
- Consider using some of the vunerability analysis tools in your build process to identify any criticals that really must be addressed, there are now a few open source tools in this space that could be considered [clair](https://github.com/coreos/clair) and [vuls](https://github.com/future-architect/vuls) for your project.
- Consider using a base that is more security focused for e.g. [alpine](https://hub.docker.com/_/alpine/) I'm sure you've noted the transition of a significant percentage of the offical images from just ubuntu to ubuntu and alpine offers, I had noted [MB-20907](https://issues.couchbase.com/browse/MB-20907) but it seems to be on the backlog since Sept 16.
Damian.
… On 14 Jun 2017, at 07:23, Chris Hillery ***@***.***> wrote:
Apologies, that ticket is marked Private and I hadn't noticed. You won't be able to see if even if you do get logged in.
For what it's worth, the majority of the vulnerabilities shown are from the underlying Ubuntu 14.04 base image, so there is a limited amount we can do about them. Our next major release will be available on Ubuntu 16.04 and we will also update the Docker image to be based on that Ubuntu release, so hopefully that will at least help. Of the reported vulnerabilities in libraries Couchbase itself depends on and provides, most will not be updated in the 4.6 line since they would require significant effort to adopt that is likely unreasonable for a patch release. Several of them are updated in our upcoming major release.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#67 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AOtkciB5RMBx1D8yZEe_6qh2j6LBun5uks5sD3xOgaJpZM4N4O56>.
|
Are there any plans to update the images to remove the vulnerabilities identified here?
https://hub.docker.com/r/library/couchbase/tags/
The text was updated successfully, but these errors were encountered: