cli
cli copied to clipboard
Published
20 hours ago •
snyk
snyk
[🐛] Snyk reports vulnerabilities for uninstalled packages
Actual behaviour
Consider following Dockerfile:
FROM openresty/openresty:1.19.9.1-12-jammy-amd64 as base
RUN apt-get update \
&& apt-get install -y --no-install-recommends --only-upgrade \
dpkg \
dpkg-dev \
libldap-2.5-0 \
libxml2-dev \
openssl \
&& apt-get autoremove -y \
cpp \
libgd-dev \
libcurl4 \
perl \
unzip \
wget \
&& apt-get -y autoremove \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
When I build an image from that, and then run snyk, I get this;
→ docker build -t snyk-bug . && snyk test --docker --severity-threshold=medium snyk-bug
[+] Building 32.8s (6/6) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 514B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/openresty/openresty:1.19.9.1-12-jammy-amd64 0.6s
=> CACHED [1/2] FROM docker.io/openresty/openresty:1.19.9.1-12-jammy-amd64@sha256:0af5c0c7a99780a2f739315d0d83af00fb9ede0a65d333aebb23f1d37b255fa7 0.0s
=> [2/2] RUN apt-get update && apt-get install -y --no-install-recommends --only-upgrade dpkg dpkg-dev libldap-2.5-0 libxml2-dev openssl && apt-get autoremove -y cpp libgd- 31.8s
=> exporting to image 0.2s
=> => exporting layers 0.2s
=> => writing image sha256:ab2131e1dfcb2be59105d3ee0033be2a589e16f768862e98981f16d731187d8f 0.0s
=> => naming to docker.io/library/snyk-bug 0.0s
Testing snyk-bug...
✗ Medium severity vulnerability found in wget
Description: Open Redirect
Info: https://snyk.io/vuln/SNYK-UBUNTU2204-WGET-2785488
Introduced through: [email protected]
From: [email protected]
Image layer: Introduced by your base image (openresty/openresty:1.19.9.1-12-jammy)
✗ Medium severity vulnerability found in unzip
Description: Out-of-bounds Write
Info: https://snyk.io/vuln/SNYK-UBUNTU2204-UNZIP-2778389
Introduced through: [email protected]
From: [email protected]
Image layer: Introduced by your base image (openresty/openresty:1.19.9.1-12-jammy)
✗ Medium severity vulnerability found in perl/perl-base
Description: Improper Verification of Cryptographic Signature
Info: https://snyk.io/vuln/SNYK-UBUNTU2204-PERL-2789081
Introduced through: meta-common-packages@meta, [email protected], perl/[email protected]
From: meta-common-packages@meta > perl/[email protected]
From: [email protected]
From: perl/[email protected]
Image layer: Introduced by your base image (openresty/openresty:1.19.9.1-12-jammy)
✗ Medium severity vulnerability found in e2fsprogs/libext2fs2
Description: Out-of-bounds Read
Info: https://snyk.io/vuln/SNYK-UBUNTU2204-E2FSPROGS-2801319
Introduced through: e2fsprogs/[email protected], [email protected], e2fsprogs/[email protected], e2fsprogs/[email protected], meta-common-packages@meta
From: e2fsprogs/[email protected]
From: [email protected] > e2fsprogs/[email protected]
From: e2fsprogs/[email protected]
and 5 more...
Image layer: Introduced by your base image (openresty/openresty:1.19.9.1-12-jammy)
Organization: abacai
Package manager: deb
Project name: docker-image|snyk-bug
Docker image: snyk-bug
Platform: linux/amd64
Base image: openresty/openresty:1.19.9.1-12-jammy
Licenses: enabled
Tested 140 dependencies for known issues, found 4 issues.
Base Image Vulnerabilities Severity
openresty/openresty:1.19.9.1-12-jammy 45 0 critical, 0 high, 16 medium, 29 low
Recommendations for base image upgrade:
Alternative image types
Base Image Vulnerabilities Severity
openresty/openresty:1.21.4.1-amzn2-amd64 8 0 critical, 0 high, 8 medium, 0 low
openresty/openresty:1.21.4.1-0-jammy 32 0 critical, 0 high, 8 medium, 24 low
openresty/openresty:1.21.4.1-focal-amd64 46 0 critical, 0 high, 12 medium, 34 low
openresty/openresty:1.19.9.1-11-jammy-amd64 44 0 critical, 0 high, 15 medium, 29 low
Expected behaviour
I expected neither the SNYK-UBUNTU2204-WGET-2785488 for wget, nor the SNYK-UBUNTU2204-UNZIP-2778389 for unzip to be reported, as both these packages are uninstalled when building the image, and are effectively missing from the docker container in runtime.
