Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Show security fixes easily available only if there is a newer Taupage base image that actually fixes them #446

Open
akauppi opened this issue Feb 9, 2017 · 1 comment

Comments

@akauppi
Copy link

akauppi commented Feb 9, 2017

You probably have seen this at senza create:

screen shot 2017-02-09 at 15 44 44

As far as I understand, there are two things getting mixed here. The fact that the image has (low severity) security concerns, and the idea that a fix would be "easily available".

What the error-looking warning currently means (using registry.opensource.zalan.do/stups/openjdk:8-cd28) is that there may be problems and I cannot do anything about it.

Suggestion for improvement:

  • show such a warning (maybe not in red) if there are concerns
  • show a separate line if I'm not applying the latest base image, i.e. I can do something about it

Currently, the red is simply adding to my stress level, without me being able to do anything about it. Its counter-empowering.

In case I can do something to solve this, please educate me.

@lmineiro
Copy link
Contributor

The title of this issue mentions Taupage and I don't think Taupage is related to the problem. The CVE check is based on the Docker image and Clair is the tool responsible for the evaluation.

I'd also challenge that you wouldn't be able to do something about it. Such base images likeregistry.opensource.zalan.do/stups/openjdk:8-cd28, often used as base images for our JVM applications, are provided as a convenience. This doesn't mean that you're forced to use them as your base image and it also doesn't mean that you can't contribute to improving the base image for others.

As a reference, you could query which CVEs were found for that particular image:

pierone cves --url registry.opensource.zalan.do stups openjdk 8-cd28

Alternatively, you could brew your own base image or chose another that you believe doesn't have any vulnerabilities. Clair will still evaluate it for you.

I'm inclined to agree that LOW level CVEs should deserve a less noisy warning.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants