Docker image security scan

[Carlos Sanchez]

Hi, 

The last docker image for 1.651.3 is up in the docker hub.

The official images are now security scanned, and you can see the results at https://hub.docker.com/r/library/jenkins/tags/1.651.3/ (need to be logged in)

Some layers come from the parent Debian and Java images, but the last ones are from Jenkins war, showing several CVEs for Spring (critical), Groovy (critical), httpclient, commons-compress, xstream and jbcrypt

[Kohsuke Kawaguchi]

Thanks. Some of the vulnerabilities doesn't apply to us (for example the spring vulnerability that only affects JSP), but I don't suppose these scanners would be able to make such a distinction.

I'll file this as a SECURITY ticket so that the team can discuss any legitimate issues that need fixing, as well as whether anything can be done to avoid scaring users about vulnerabilities that do not apply.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/caf20fac-70d0-4429-8335-ed3366105982%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kohsuke Kawaguchi]

BTW I filed this as SECURITY-315

[Michael Neale]

Those scans are useful for spotting parts of the the linux image layers that make up a docker image, that are problematic, and likely easy to remedy by refreshing things. 

For spotting stuff inside apps, the signal to noise ratio seems very low.