Common Vulnerabilities and Exposures (CVEs) are known security vulnerabilities that exist in commom packages/os' used by our Docker images
When a CVE is introduced, we need to fix the respective Dockerfile so that it uses the most up-to-date version of the package/os that contains the CVE
CVEs are constantly discovered. This means that patching CVEs in our Dockerfiles is something we will do often
Fortunately, the solution may be as simple as re-building the respective Dockerfile
When the Replicated platform is built, CircleCI scans a list of on-prem images for CVEs. An up-to-date list of CVEs can be found below with links to repos
We use Anchore Engine to scan images for vulnerabilities. You can interact with Anchore through the Anchore CLI. The Anchore server address is https://anchore.replicated.systems/v1. Credentials can be found in passpack or Keybase
To check for vulnerabilities, run the command:
> anchore-cli image vuln <input_image> [VULN_TYPE]
For example, we might want to check if os
vulnerabilities exist in the Replicated cmd
image:
> anchore-cli image vuln registry.replicated.com/library/cmd:1.2.1 os
If vulnerabilities exist, Anchore might return something like this:
Vulnerability ID Package Severity Fix Vulnerability URL
CVE-2017-6512 perl-5.18.2-2ubuntu1.3 Low 5.18.2-2ubuntu1.4 http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6512
CVE-2017-6512 perl-base-5.18.2-2ubuntu1.3 Low 5.18.2-2ubuntu1.4 http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6512
CVE-2017-6512 perl-modules-5.18.2-2ubuntu1.3 Low 5.18.2-2ubuntu1.4 http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6512
Here, we see that three vulnerabilities exist in the perl
package used by the cmd
image. We will need to update the Dockerfile that produces the cmd
image to patch the vulnerability
The images are all built with different distros and the package management systems vary. After updating the Dockerfile and thus patching the image, you must then push the image with a new tag to the appropriate registry (assuming you have built, tested with anchore, and tagged the clean image):
> docker push registry.replicated.com/library/cmd:1.2.2
Finally, the replicated
and chatops-deployer
projects must be updated to use the newly patched image tags
registry.replicated.com/library/premkit -> https://github.com/premkit/premkit
registry.replicated.com/library/cmd -> https://github.com/replicatedcom/replicated/tree/master/pkg/commands/hack
registry.replicated.com/library/statsd-graphite -> https://github.com/replicatedcom/statsd-graphite
registry.replicated.com/library/support-bundle -> https://github.com/replicatedcom/support-bundle