Docker-nginx: Docker Hub's vulnerability checker is out of control - all Nginx images are 馃毃

Created on 11 Apr 2017  路  10Comments  路  Source: nginxinc/docker-nginx

I feel that reporting about each separate false positive is crazy. Is there a way to clean it up efficiently?

Most helpful comment

for nginx:1.15-alpine it has dropped down to only libxml2 2.9.8-r0 and libpng 1.6.34-r1 having reported vulnerabilities.

All 10 comments

Not sure what nginx as an image builder could do about it.

Can the alpine images be rebuilt using alpine:3.6 which now has no vulnerabilities https://hub.docker.com/r/library/alpine/tags/

176

alpine:3.6 is old news... alpine:3.7 is the latest (for now), would be good to rebuild the image off whatever alpine is latest that day

This is a bit of a big deal - nginx's official images are being built off of incredibly out of date images that are full of vulnerabilities.

@mmmeff the packages mentioned (e.g. glibc/libc6) are the current debian9 versions, what makes you think the images are "incredibly out of date" ?

They aren't out of date. These vulns aren't fixed in the upstreams yet.

See https://security-tracker.debian.org/tracker/CVE-2017-16997 for one.

for nginx:1.15-alpine it has dropped down to only libxml2 2.9.8-r0 and libpng 1.6.34-r1 having reported vulnerabilities.

Note: This reports are likely false positives. Some security fixes are backported without changing the version number (e.g. https://git.alpinelinux.org/aports/commit/?id=9ba0323ae03ecb1319c9174e281260c37544fa1d).
However, the version numbers have changed in Alpine 3.9, so #306 should fix this.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

HeyRobb picture HeyRobb  路  5Comments

md5 picture md5  路  5Comments

ralphsmith80 picture ralphsmith80  路  5Comments

colinmollenhour picture colinmollenhour  路  6Comments

gengu picture gengu  路  6Comments