mongo icon indicating copy to clipboard operation
mongo copied to clipboard
verified publisher icon docker-library

cves in mongodb image using SBOM/Dependency-Track

Open lnutakki opened this issue 3 years ago • 2 comments

We are seeing below cves with  some components of mongodb that are packaged into container  image.   Just want to reach out to community and see how these cves can be remediated .   Our scanning tool is a combination of generating SBOM and then running it via OWasp Dependency Track.

openssl 1.1.1f-1ubuntu2.16 NVD CVE-2021-3711 gopkg.in/yaml.v2 v2.4.0 NVD CVE-2022-28948 golang.org/x/text v0.3.7 NVD CVE-2022-32149 tar 1.30+dfsg-7ubuntu0.20.04.2 NVD CVE-2019-9923 gnupg 2.2.19-3ubuntu2.2 NVD CVE-2022-34903 apt 2.0.9 NVD CVE-2020-3810 procps 2:3.3.16-1ubuntu2.3 NVD CVE-2018-1121 passwd 1:4.8.1-1ubuntu5.20.04.2 NVD CVE-2009-2360

lnutakki avatar Dec 04 '22 04:12 lnutakki

A similar issue (https://github.com/docker-library/mongo/issues/523) was opened in February and suggested that the Go-related CVEs (gopkg.in/yaml.v2, golang.org/x/text) are identified due to the Docker images including the tianon/gosu binary (built with Go). That February issue concluded that the Go-related CVEs are likely false positives. There are also issues on the tianon/gosu repo that discuss fixing CVEs impacting gosu and which ones are false positives.

I'm not sure about the rest of the CVEs.

matthewdale avatar Dec 05 '22 18:12 matthewdale

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

For example, there are some package updates available in mongo:6.0. they will get updated the next time there is an ubuntu base image update. I'd guess the update is due soon, based on the past PRs: https://github.com/docker-library/official-images/pulls?q=is%3Apr+label%3Alibrary%2Fubuntu.

$ docker pull mongo:6.0
6.0: Pulling from library/mongo
Digest: sha256:8bed0be3e86595283d67836e8d4f3f08916184ea6f2aac7440bda496083ab0c8
Status: Image is up to date for mongo:6.0
docker.io/library/mongo:6.0
$ docker run -it --rm mongo:6.0 bash
root@364f681ef27c:/# apt update
Get:1 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]        
Get:3 http://archive.ubuntu.com/ubuntu focal-backports InRelease [108 kB]
Ign:4 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 InRelease
Get:5 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:6 http://security.ubuntu.com/ubuntu focal-security InRelease [114 kB]
Get:7 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB]     
Get:8 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB] 
Get:10 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [2820 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [1887 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1273 kB]
Get:13 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [30.4 kB]
Get:14 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
Get:15 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Get:16 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 Release [4414 B]
Get:17 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0 Release.gpg [801 B]
Get:18 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [1772 kB]
Get:19 http://repo.mongodb.org/apt/ubuntu focal/mongodb-org/6.0/multiverse amd64 Packages [9817 B]
Get:20 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [2350 kB]
Get:21 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [972 kB]
Get:22 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [27.7 kB]
Fetched 24.7 MB in 1s (19.3 MB/s)                            
Reading package lists... Done
Building dependency tree       
Reading state information... Done
7 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@364f681ef27c:/# apt list --upgradable
Listing... Done
ca-certificates/focal-updates,focal-security 20211016ubuntu0.20.04.1 all [upgradable from: 20211016~20.04.1]
libsqlite3-0/focal-updates,focal-security 3.31.1-4ubuntu0.5 amd64 [upgradable from: 3.31.1-4ubuntu0.4]
libsystemd0/focal-updates 245.4-4ubuntu3.19 amd64 [upgradable from: 245.4-4ubuntu3.18]
libudev1/focal-updates 245.4-4ubuntu3.19 amd64 [upgradable from: 245.4-4ubuntu3.18]
login/focal-updates,focal-security 1:4.8.1-1ubuntu5.20.04.4 amd64 [upgradable from: 1:4.8.1-1ubuntu5.20.04.2]
mongodb-mongosh/focal 1.6.1 amd64 [upgradable from: 1.6.0]
passwd/focal-updates,focal-security 1:4.8.1-1ubuntu5.20.04.4 amd64 [upgradable from: 1:4.8.1-1ubuntu5.20.04.2]
root@364f681ef27c:/#

yosifkit avatar Dec 05 '22 19:12 yosifkit