Replies: 3 comments 2 replies
-
|
The package version of the current image don't match the versions that you've provided: $ docker pull mcr.microsoft.com/dotnet/sdk:3.1.416-alpine3.14
3.1.416-alpine3.14: Pulling from dotnet/sdk
97518928ae5f: Already exists
69b1f7b9228d: Already exists
629d62ff798c: Already exists
631c792e09e4: Already exists
54241f7dca34: Pull complete
b862c11ad943: Pull complete
edc68381e998: Pull complete
Digest: sha256:9b5d8c6bbeb1bcc7d464497e3f4c620f996d20da4b58f198bb47a2e693424b49
Status: Downloaded newer image for mcr.microsoft.com/dotnet/sdk:3.1.416-alpine3.14
mcr.microsoft.com/dotnet/sdk:3.1.416-alpine3.14
$ docker run --rm mcr.microsoft.com/dotnet/sdk:3.1.416-alpine3.14 apk list libssl1.1
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/community: No such file or directory
libssl1.1-1.1.1l-r0 x86_64 {openssl} (OpenSSL) [installed]
$ docker run --rm mcr.microsoft.com/dotnet/sdk:3.1.416-alpine.14 apk list libcrypto1.1
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/community: No such file or directory
libcrypto1.1-1.1.1l-r0 x86_64 {openssl} (OpenSSL) [installed]
$ docker run --rm mcr.microsoft.com/dotnet/sdk:3.1.416-alpine3.14 apk list busybox
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.14/community: No such file or directory
busybox-1.33.1-r6 x86_64 {busybox} (GPL-2.0-only) [installed]Those versions are all up-to-date.
Your list here shows Alpine 3.13. So it's not matching up with your request about Alpine 3.14. Are you actually meaning to refer to Alpine 3.13? What tag are you using? Note that maintenance of the Alpine 3.13 is no longer being done as announced in Dec 2021. |
Beta Was this translation helpful? Give feedback.
-
|
Forgive me as I'm fairly new to images tags and versioning. The Docker file I'm starting from contains the following reference: Which believe refers to Docker Hub Which in turn points to image updated last on 02/08/2022: Which does appear to refer to alpine3.14 as you noted. And the last few months of history on the Docker file appear to show -alpine3.14 related updates The JFrog XRay scan with the issues listed below of the was provided as of 2/1/2022. So it seems that the local repo may not be pulling the updated 3.14 images from Docker Hub weekly as I was told. Per the specific vulnerabilities Busybox appears to still show vulnerabilities in latest stable version 1.33. Seems the libssl vulnerability may be addressed in 1.1.1l which you provided in you information? Thanks very much for your info. Does it seems correct that the BusyBox vulnerability is not addressed as of the latest stable version 1.33.0? |
Beta Was this translation helpful? Give feedback.
-
That's my guess as well. I don't know where you're referencing the tags from because the FROM instruction you provided isn't valid syntax: FROM artifactory ... /dotnet/sdk:3.1-alpine AS build-envIf you can provide me with a |
Beta Was this translation helpful? Give feedback.
-
|
I believe that I was referencing a component with an outdated alpine image. Sorry for that mistake. The following image I believe to be referencing a more recent version of alpine 3.14. The alpine included versions of the libssl, libcrypto and busybox from my local Artifactory repo appear to be close to the versions that you pulled from MCR. But not exact. Seems the versions should be fairly closely aligned as the last update to local Artifactory repo from MCR was apparently 2/28/2022. Might be related to a stable version but I have no visibility into that. The security issues from the Artifactory repo XRay vulnerability scan descriptions are listed on the left column. The right is only 2-segments of listed alpine version's included libraries versions (third segment not listed) The gist is that it appears that there are existing security issues in these versions within the alpine image. And I assume they remain in latest alpine version too. The goal is to determine when/if and what version of the alpine image will address these flagged issues. |
Beta Was this translation helpful? Give feedback.
-
|
Please provide the tag or image digest of the image that is being scanned here. |
Beta Was this translation helpful? Give feedback.
-
Question: Are there any plans or schedule to remediate security vulnerabilities related to Alpine image
3.1.22-alpine3.14 and the .Net SDK image that includes it?
Official images for the .NET SDK
.NET SDK by Microsoft | Docker Hub
https://hub.docker.com/_/microsoft-dotnet-sdk/
3 core security vulnerabilities rated as HIGH are detected via JFrog Artifactory Xray scans. These issues appear to be based on Alpine 3.14 base image currently incorporated into the .NET SDK image.
Affected components
Link to current base dependency Docker file. https://github.com/dotnet/dotnet-docker/blob/b20c03e0644b42167d66a85fe6077ec2428a47fa/src/sdk/3.1/alpine3.14/amd64/Dockerfile
Beta Was this translation helpful? Give feedback.
All reactions