Container Scanning is reporting too many issues on Debian based images
On our sast
project, container scanning is reporting 613 vulnerabilities. It seems to be false positives, but actually, they are real vulnerabilities. Even if Debian teams are doing their best to secure the distribution, there are still some open issues.
Example: Report says the image is affected by CVE-2017-1000158
: https://security-tracker.debian.org/tracker/CVE-2017-1000158 (python2.7). The page reports that 2.7.9-2+deb8u1
is still vulnerable in jessie
. This is exactly the version we have in the image.
Many issues are related to the Linux
kernel and so since in Docker we're using the kernel of the host, I think we could just ignore them.
As for the other issues, many are therefore simply there, and there's likely nothing much the user can do to solve them.
I suggest to split the reported issues in 3:
- The ones that should not be relevant (related to the kernel for example).
- The ones impacting the images, but can't be fixed (easily) by the user.
- The ones "actionable", that can be fixed by an
apt update && apt upgrade
, or by updating a custom component.
While the 2 first group are valuable information for the user, the only important information is the last one.
refs gitlab-org/gitlab-ee#4310
/cc @bikebilly