Scan reports many vulnerabilities in official images on docker hub

Hello docker community,

I was a bit surprised by the large number of vulnerabilities in official images on docker hub reported by docker scan. Taking Python as an example: creating a new docker image with just the line “FROM python” throws up many vulnerabilities, several are classified as critical (see image below) . Some of these are actually quite old and there are fixes available.

Also, several vulnerabilities are reported for the latest Ubuntu image. None critical, but several of medium severity. Again, some of these are quite old and fixes are available.

Is this normal? Is the scanner too sensitive and these are actually not critical? I am a bit unsure how to interpret the results as they are the official images.

Can you show a specific issue that was fixed? I vulnerability list and couldn’t see any issues which was marked as “fixed”.

Just listing a few, for example:

I meant that I could check if you could share one specific issue in the vulnerability list of Docker Desktop (It seems you shared the screenshot of that) with a CVE ID and share the URL of that specific fix. Otherwise I have to find hunt the issue in the vulnerability list in Docker Desktop and I don’t have time to do that :slight_smile:

The first link you shared doesn’t have anything in the “Fixed by” column. Where I found something in that column it was there only for some of images. It is possible that some bugs are not fixed in older versions.

oops, you are right. The first one is really old, but there is still no fix.

There are few though for which fixes exist. E.g.

I will go through the list in more detail.

For Debian 12 (which has no stable release yet) But not for debian 11 and the default and latest Python image is based on Debian 11. I only guess that you meant the Python image as you also mentined Ubuntu. Maybe I was not clear, but my goal was to ask you to share exactly where you saw the issue (in which image) maybe even share the screenshot where you unfolded the CVE link so I can see the CVE and which image you are talking about and then I can check the URL you share where you see the fix.

So far I haven’t seen any fixed issue detected by the vulnerability scan.

We could ask now why the above issue was not fixed in Debian 11 for example, but I don’t know the answer.

Hi! Thanks for the feedback! Our team has taken some steps to address what you’ve seen previously. Please check out the results for that image now. I think you’ll find they are more in line with what you expect.

If you see anything else that you don’t quite expect or have any additional feedback on the experience, we’d love to hear it! Please continue to share it with us as we want to make this the best possible experience for devs.

1 Like