Docker image security scan

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Docker image security scan

Carlos Sanchez
Hi, 

The last docker image for 1.651.3 is up in the docker hub.

The official images are now security scanned, and you can see the results at https://hub.docker.com/r/library/jenkins/tags/1.651.3/ (need to be logged in)

Some layers come from the parent Debian and Java images, but the last ones are from Jenkins war, showing several CVEs for Spring (critical), Groovy (critical), httpclient, commons-compress, xstream and jbcrypt

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Docker image security scan

Kohsuke Kawaguchi
Administrator
Thanks. Some of the vulnerabilities doesn't apply to us (for example the spring vulnerability that only affects JSP), but I don't suppose these scanners would be able to make such a distinction.

I'll file this as a SECURITY ticket so that the team can discuss any legitimate issues that need fixing, as well as whether anything can be done to avoid scaring users about vulnerabilities that do not apply.


On Wed, Jun 15, 2016 at 1:05 AM Carlos Sanchez <[hidden email]> wrote:
Hi, 

The last docker image for 1.651.3 is up in the docker hub.

The official images are now security scanned, and you can see the results at https://hub.docker.com/r/library/jenkins/tags/1.651.3/ (need to be logged in)

Some layers come from the parent Debian and Java images, but the last ones are from Jenkins war, showing several CVEs for Spring (critical), Groovy (critical), httpclient, commons-compress, xstream and jbcrypt

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAN4CQ4zz4rzg5_%2B0w02if-C%2B1p6HC4YY%2BLWAV8MFH5NjEmm5bQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Docker image security scan

Kohsuke Kawaguchi
Administrator
BTW I filed this as SECURITY-315

On Mon, Jun 20, 2016 at 3:57 PM Kohsuke Kawaguchi <[hidden email]> wrote:
Thanks. Some of the vulnerabilities doesn't apply to us (for example the spring vulnerability that only affects JSP), but I don't suppose these scanners would be able to make such a distinction.

I'll file this as a SECURITY ticket so that the team can discuss any legitimate issues that need fixing, as well as whether anything can be done to avoid scaring users about vulnerabilities that do not apply.


On Wed, Jun 15, 2016 at 1:05 AM Carlos Sanchez <[hidden email]> wrote:
Hi, 

The last docker image for 1.651.3 is up in the docker hub.

The official images are now security scanned, and you can see the results at https://hub.docker.com/r/library/jenkins/tags/1.651.3/ (need to be logged in)

Some layers come from the parent Debian and Java images, but the last ones are from Jenkins war, showing several CVEs for Spring (critical), Groovy (critical), httpclient, commons-compress, xstream and jbcrypt

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAN4CQ4yk-awWHPomzkuWsu33RmMeXwqi_EGYGNEvLFsydgxUpw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Docker image security scan

Michael Neale-2
In reply to this post by Kohsuke Kawaguchi
Those scans are useful for spotting parts of the the linux image layers that make up a docker image, that are problematic, and likely easy to remedy by refreshing things. 

For spotting stuff inside apps, the signal to noise ratio seems very low. 

On Tuesday, June 21, 2016 at 8:57:41 AM UTC+10, Kohsuke Kawaguchi wrote:
Thanks. Some of the vulnerabilities doesn't apply to us (for example the spring vulnerability that only affects JSP), but I don't suppose these scanners would be able to make such a distinction.

I'll file this as a SECURITY ticket so that the team can discuss any legitimate issues that need fixing, as well as whether anything can be done to avoid scaring users about vulnerabilities that do not apply.


On Wed, Jun 15, 2016 at 1:05 AM Carlos Sanchez <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="0ukIyFOcAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">car...@...> wrote:
Hi, 

The last docker image for 1.651.3 is up in the docker hub.

The official images are now security scanned, and you can see the results at <a href="https://hub.docker.com/r/library/jenkins/tags/1.651.3/" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fhub.docker.com%2Fr%2Flibrary%2Fjenkins%2Ftags%2F1.651.3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSTTqaRmC91rWIIpgplaBuFfNLjw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fhub.docker.com%2Fr%2Flibrary%2Fjenkins%2Ftags%2F1.651.3%2F\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNFSTTqaRmC91rWIIpgplaBuFfNLjw&#39;;return true;">https://hub.docker.com/r/library/jenkins/tags/1.651.3/ (need to be logged in)

Some layers come from the parent Debian and Java images, but the last ones are from Jenkins war, showing several CVEs for Spring (critical), Groovy (critical), httpclient, commons-compress, xstream and jbcrypt

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="0ukIyFOcAAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0c653bce-c3be-4177-976b-b60646b38abc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.