0

I am fairly new to container image vulnerability scanning. There seem to be a lot of tools (Snyk, Trivvy, Clair, e.g.) that can identify vulnerable packages in container images. They also do a good job identifying the fix version for the individual package (example: for CVE-2022-32207, upgrade from curl 7.80.0-r1 to 7.80.0-r1).

However, this is not exactly what I'm looking for. Since we're using a base image of Debian or Alpine, what I really want to know is...which version of Debian/Alpine includes the fix version, if any.

Is there an easy way to search base images (Debian/Alpine) to determine which vulnerabilities are present in each version? That way I can instruct my developers, upgrade your base to the latest version and you'll be done.

Scott McNeany
  • 111
  • 2

1 Answers1

0

The best way (if you're a company anyway) is to have an internal registry you manage yourselves and maintain upgrades there.

Docker Hub official images are a reasonable place to start but they may not get upgraded enough for your use case.

Also if you're using debian derived images watch out for the ignore unfixed problem.

Another approach to this problem to reduce vulns, if it suits your development style is to use "distroless" images which are much more stripped down and require less patching.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217