For compliance reasons, I need to get a copy of the octopusdeploy server into a private AWS ECR repository as I am unable to access hub.docker.com from our PCI environment. As part of that trivial build and push, I am able to scan for vulnerabilities and this is reporting 1 critical and several high vulnerabilities:
Thank you for contacting Octopus Support and great question on CVE’s. We have an advisory page here which details the CVE’s that apply to Octopus and our recommendations to fix the issues we have found.
I cannot see any of the CVE’s you have posted up on there so I am going to get this ticket in front of our security team who will be able to review the CVE’s you have posted up and make sure they do not apply to us, if they do they can get an advisory out but we do monitor CVEs that come in and respond to them on our advisory page if they do apply to Octopus.
I will keep you updated on their findings, reach out in the meantime if you have any further questions.
(TBH, the tag ordering on that page is a bit of disaster…)
I’ve rebuilt and pushed based of 2022.3.10873 which I think is the latest 2022.3 image (I can’t see a 2022.4). However that image appears to have 3 critical and 8 high CVEs based on the AWS ECR basic scanning.
Going with your suggeston, I have rebuilt and pushed to ECR with 2022.2.8585 - however scans of that image have 1 critical and 7 high:
Great news you are past 2022.1, you should be able to use the :latest tag which should get you the latest version we have on there (which will be 2022.3.10863) you can see a list of each version we have here. You can also see the latest tag information in docker here.
At the moment 2022.4 is only available for our Cloud offering so you will not be able to grab that from docker.
You will be well aware of our documentation surrounding hosting Octopus in docker but for others benefit I have linked it here.
The document you will be interested in is for Docker Compose here. In there you will see it mentions to use OCTOPUS_SERVER_TAG=latest which should pull the latest version from docker if you want to always have the most up to date version, it is also fine to specify a version too if you wanted to like you have above.
As for the CVEs they look to be the same as you posted in your initial response, I have sent that list to our Security team who will review each one and see if they apply to Octopus or not.
I will keep you posted once they have had chance to review and reply.
I hope my above suggestions helped,
A quick update for you on the CVE query you have, our lead engineer has done some work on this and found that our docker images for Server are based on the image here http://mcr.microsoft.com/dotnet/runtime-deps:5.0. This has not been updated since netcore 5 was EOL’ed in June this year, resulting in our base image shipping with linux packages which are flagging on security scans.
We have sent this to our engineering team who will look at updating our dockerfiles for Server to have the 6.0 tag instead of the 5.0 one.
It looks like our Octopus Cloud instances and Octopus Tentacle docker images already use the 6.0 tag so they are not affected.
I wanted to thank you for bringing this to our attention, as soon as our engineers update the .net base image we work from I will let you know and you can re-run your docker file and pickup that latest image.
Once again, I’m stunned by the professional support that Octopus provide for your customers. It’s a pleasure to deal with your organization.
Thanks for the update. I’d logged a similar issue regarding the tentacle image a month or so back and your team was very quick to fix it. Although vulnerability scanning is an on going process and images that are clean one day can become tainted overnight.
I wonder if you can leave this ticket open until the updated image is published so that I know when to refresh?
Thank you so much for your kind words, I will pass those onto our lead Support engineer as he is the one that did all the work for this so I will let him take the credit and praise for this one!
As for keeping the ticket open, of course I will do that, I would not have closed the ticket until it was solved anyway but forum posts do auto close after (I think) 28 days of inactivity and I doubt it will take the engineers that long to get the image updated, looks like its just changing a tag (they will test the change of course).
I will let you know as soon as the image has been updated, I wouldn’t want to have you guessing once its updated and having to run constant scans on every new docker image you pull to see if we have/have not updated it yet!
I am not sure if this will get done before the end of the Christmas break if there are extensive tests to run but I will be notified in our Slack channel once the engineers have updated the image so I will make sure to let you know.
Have a wonderful Christmas break if I don’t get back to you before then,
Thanks for the check in on this, I just had a look at the engineers shortcut story for this issue and they have a private github issue in for this with a pull request to get the latest Microsoft base image but that request is currently blocked as it needs one more engineer as a reviewer to approve it.
I have gone ahead and requested an update on the approval of that so hopefully once the reviewer has a chance to take a look and approve it that should go live.
I will keep you up to date but it looks like we are almost there.