The ability to find and use a free public Docker base image makes it easy to bootstrap the creation of a new Microservice.
However, “easy” doesn’t equate to “good.” Using a Docker base image is much like including an external library. It’s really important to know what baggage you are dragging into your project, particularly security issues. Who wants their service to be the cause of a security breach? (SANS has a great whitepaper on this topic.)
So, what do you do? Read the code? (See what Jack Diederich has to say about this in the excellent Stop Writing Classes Video.) Most don’t have the time or skills. Is the code even available? Not always. Ideally, you get initial insight into security issues providing enough detail for more research if necessary. Tripwire for DevOps provides that essential insight and vets your Microservice for security issues.
As part of the team building Tripwire for DevOps, I first took a look at popular public base-images, those images typically found in the FROM line of a Dockerfile. I built a large Docker Registry of base-images and used Tripwire for DevOps to evaluate hundreds of versions (tags) to get a picture of how well our system would work on day one. This was not a new idea; in fact, researchers at North Carolina State University did just what I did over a year ago.
The results were interesting and our system found vulnerabilities in many base images repositories.
For example, we evaluated a variety of OpenJDK Docker images for Java from the Official Repository for OpenJDK, the Azul OpenJDK repository and Oracle’s OpenJDK repository. The majority of the tags passed our default Quality Gate, where any image with CVSS v2 or v3 vulnerabilities above a medium value is labeled “Failed.”
However, CVE-2018-10897 is found in Oracle OpenJDK as shown above, and it’s best to be aware of the presence of vulnerabilities when making your base image decisions. But the biggest surprise was the number of vulnerabilities found in the Azul Zulu repositories.
If you are using the (deprecated) Official OpenSUSE image, based on my findings definitely make the effort to move to OpenSUSE Tumbleweed or OpenSUSE Leap.
And take Jenkins. While not a base-image per se, only 26 out of 99 versions of jenkins/jenkins passed the default gate.
Tip: If you are using Jenkins in your build pipeline, upgrade to a new version to remove the risk posed by vulnerabilities.
In general, the most egregious failures were images based on older OS versions. This comes as no surprise, as many vulnerabilities are found every day.
As a DevOps system owner, stakeholder, team leader, or Microservice author, I would want to know about any serious vulnerabilities found in the Docker base images I used in my production containers or used to build production containers. Whether its DevSecOps or SecDevOps, it’s just a good idea to increase the security of your CI/CD pipeline.
Give Tripwire for DevOps a try – there is a free trial signup. What do you have to lose?