Security problems. Many critical vulnerabilities #3503
Comments
ISnotes
changed the title
|
You gotta keep in mind that some of these vulnerabilities are not applicable most of the time e.g. the container has the lib installed but it's not used. glib for instance notes:
|
|
Shouldn't these just be uninstalled then so that there aren't false positives? |
The container is based upon another project the maintainer has ongoing. https://github.com/NginxProxyManager/docker-nginx-full Base container appears to be https://github.com/NginxProxyManager/docker-nginx-full/tree/master/docker There are 76 vulnerabilities in the original The easiest route to solving some of this is use a thinner image, as well as assess if the tool chains are required in the final image or only for initial build and a seperate image should be used for production. For example a bunch of go-lang tools are being installed in this layer which might not be needed in prod image. Hmm, during release tagging you could also remove certain layers. |
|
It would be great to have a version with alpine as the base image |
Agreed, that's basically the go to image for thin/minimal. There are a few better options now a days, but for arch portability that's the best answer |
|
Found this upon further review Apparently this originated on Alpine at one point. Sidw note, the image building process isnt as complex as I first thought which is good. |
|
Some of the history jc21 was mentioning in the discussion I posted a few comments back |
|
Alpine is used in most of the most popular projects, and suddenly it is "unreliable". Suspiciously |
|
I'm interested in getting some updated feedback from @jc21 on that comment, I wouldn't mind undertaking the effort of getting this back to a more secure image if I know the decisions/history on that. @jc21 I linked the most relevant threads on this topic, do you remember some of the ideas behind the decision to move away from alpine? |
|
i cant use this image in production when there are so many vulnerabilities. |
|
I Agree that this image is unusable everywhere, where Security is very Important. But both points are gonna be solved with v3 mostly. So the Future is looking great! Cheers |
Is this documented anywhere, or how do you know this information? |
Searched here in the issues around and everything jc21 wrote. I had initially the same concerns, so i was interested either. However, as far i've seen he isn't happy about the huge image, but don't want to use alpine linux either. I don't remember what he want to use tbh, but he mentioned it somewhere. There is already a image, but not sure if its working, at least its half as small as the current v2 images: But it looks to me, like v3 will take still a long time. Cheers |
|
Issue is now considered stale. If you want to keep it open, please comment 👍 |
Checklist
jc21/nginx-proxy-manager:latestdocker image?Describe the bug
Hello!
I checked for vulnerabilities through the containercve.com service. I was very surprised to see more than 400, many of them critical (>9.0). Please correct.
Nginx Proxy Manager Version
2.11.1
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Screenshots
Operating System
Additional context
The text was updated successfully, but these errors were encountered: