On Mon, Sep 7, 2020 at 2:21 PM Jarek Potiuk <ja...@potiuk.com> wrote:
> I also talked to the Apache Security team today (there was an issue raised > about the security of the images which I think should be part of the policy > as well. > Thanks Jarek. What happened is that we got a report to secur...@apache.org about a docker container that when scanned showed a lot of "unfixed vulnerabilities". I'm using quotes there because our usual response to people sending us unfiltered reports from scanning tools is to reject them; we get them quite often outside of containers and binary distributions, and they very rarely are useful. It's also fairly likely that the majority of the reported issues in the container are completely irrelevant too. For example the list contained a CVE for a power9 gcc issue. These scanners are basically going to just report on all the things in the underlying base image that are not updated, and even if you recreated images every day you'd still have unfixed CVEs on the list. Containers and other similar non-source distributions don't age well (a colleague used to say they 'age like milk, not wine'), they'll collect more and more of these layer vulnerabilities over time, and although most will be irrelevant, there are going to be times when such a vulnerability does actually matter, and we need to make sure projects producing them have a process for tracking that either my monitoring (lots of effort) or by at least frequent rebasing to keep them fresh. That's all assuming projects are making good security decisions to start with; basing on images that are maintained, in life, and updated, making sure users know the state/freshness of them, making sure users realise there will be vulns in the underlying layers and how to escalate reporting vulns they find that actually are exposed to the project. That should all be part of some guidelines on images. Cheers, Mark ASF Security Team
