Debian image known vulnerabilities patches #800
Comments
|
I participated in the discussion on slack, so just to reiterate my opinion here. I don't see any solution other than either switching base image again or beginning to provide pre-built images for additional base images (like a -alpine) variant. The first option is not really an option imo. The second option depends on the availability of build minutes/image hosting, not sure whats available. Also requires that the maintainers or someone else wants to spend the time maintaining multiple dockerfiles. Manually installing updated packages is a bad idea imo as it raises complexity substantially with little to no actual improvement to security. |
|
Im betting if we moved to ubuntu instead of debian the packages would be more upto date and it would take very minor changes to the existing dockerfile |
|
With Ubuntu 22.04 it looks better. |
|
@tobiasge - How much of a hassle would it be to provide pre-built images for both? So in addition to the existings tags, we add an "-ubuntu" (or -jammy) version? While I don't have a usecase for the ubuntu version myself, I could see it being fairly common to rely on automated scans for "deployability". |
|
Perhaps a switch to Ubuntu might be worth it. Just, let's stick to one base image. Everything else creates too much maintenance effort. |
|
I think a switch to Ubuntu should not be a problem. Maintaining two images is not worth it. |
|
@abhi1693 can you give a more detailed breakdown of all the security issues? |
|
@ITJamie We built our own image from scratch but let me see if I still have the older ones available from the official repo |
|
3 tasks
|
Closed with #805 |
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Desired Behavior
To have as minimal security issues in the build image as possible.
Contrast to Current Behavior
As of writing this for NetBox v3.2.6 and Docker v2.0.0, here is a breakdown
As an organization, we tend to run images which has low severity issues or issues that cannot be fixed in any way and if possible 0 such issues. The latest image built using Debian has a lot of identified issues as compared to previously built Alpine images which only had a total of 17 cases. We were able to patch the Alpine image to reduce that number to 2 on every release of NetBox. It's possible that it may not be as severe as they look but it's hard to make the legal team understand such things as they rely on the data from these automated tools to enforce policies.
For comparison with the Alpine image built up to v3.2.5. Note, all issues in this image are patchable which takes the count to 0.
Required Changes
I'm not sure at this point, maybe the community can help with this.
Discussion: Benefits and Drawbacks
Lowering the risk of known vulnerabilities also lowers down the risk of being hacked into or somehow abusing the system or gaining access to data that is otherwise not accessible. NetBox contains a lot of confidential information for small and big organizations, and keeping the data secure should be one of the driving forces to decide how the image should be built.
The text was updated successfully, but these errors were encountered: