r-base critical vulnerabilities when scanned on AWS ECR

[Chewbee]

Hello,
I built a minimal r-base image :

FROM r-base
COPY . /usr/local/src/myscripts
WORKDIR /usr/local/src/myscripts
CMD ["Rscript", "myscript.R"]%

I only did

docker build -t newscore .
docker tag newscore:latest xxx.dkr.ecr.eu-west-1.amazonaws.com/newscore:latest
docker push xxx.dkr.ecr.eu-west-1.amazonaws.com/newscore:latest

and Uploaded it to AWS ECR in order to scan the vulnerabilities
Got 3 critical ( CVE-2019-19813 , CVE-2019-19814 , CVE-2019-19816 )
and 1 High ( CVE-2019-19816 )

I wonder

• What are the actual risks ?
• How
  to move forward with my security officer ;) ?

Any clues welcomed

[eddelbuettel]

We don''t issue the CVE tickes, so you will to check the documentation under those issues.

I think we should close this here. Not a Rocker issue, maybe a general Docker issue.

[cboettig]

Just curious, did you try also testing the base image (e.g. debian:testing)?

[Chewbee]

Hello I did not ...
I will do it is an excellent idea
Thanks for sharing

[eddelbuettel]

And while you are at it: also do debian:unstable which is where fixes land when the need for them (e.g. CVEs or bug reports) are discovered whereas testing as a bit of a stability and transition mandate which may delay this at times.

[Chewbee]

I triied debian:latest It is better 3 Medium + 41 others (https://hub.docker.com/_/debian) the Official
So I guess it is a better way to start OR r-base should be rebuilt on top of it
BTW I found no "Docker certified" images for any linux

Trying amazonlinux , I just have 1 HIGH but the fix is provided ==> ZERO nada Vulnerabilities
But is this suitable for R ?

[eddelbuettel]

There are multiple considerations to balance when building a derived Docker container. We do what we consider most suitable; on balance I do not think we found a shortcoming here.

If you prefer to build an R container on top of the (rpm-based) amzonlinux you should probably go ahead and do it. We, sadly, do not have the bandwidth for another variant. Thanks for your understanding.

[cboettig]

@Chewbee thanks for sharing. debian:latest would be the current stable release, and the rocker/r-ver stack is already built on that. (see https://github.com/rocker-org/rocker-versioned). Like Dirk says, debian:testing & debian:unstable are ahead of the stable release. But yeah, I think these are upstream issues to us. Best of luck, and appreciate your message!

[eddelbuettel]

Thanks to @cboettig for reminding us that debian:latest is of course meant to be older/stabler/... It has support from the Debian security team to get .deb packages updated following CVEs, but I am not sure if/when/how these making it into updated images. Anyway, thanks again for being alert on this, but as we stated, not really an issue for us here at Rocker....

[Chewbee]

@Chewbee thanks for sharing. debian:latest would be the current stable release, and the rocker/r-ver stack is already built on that. (see https://github.com/rocker-org/rocker-versioned). Like Dirk says, debian:testing & debian:unstable are ahead of the stable release. But yeah, I think these are upstream issues to us. Best of luck, and appreciate your message!

Hello,
I did test the debian:testing image situation is a bit different , 3 Low + 26 others, but so better taht the stable one on this matter, but not totally "clean"