Sysdig image scan report has lots critical Vulnerabilities

[niteshk9894]

Hi ALL,

I ran Sysdig image scan on code-server:latest docker image and it reported lot of critical Vulnerabilities on OS and non OS based.
Non OS based was mostly from npm modules.
I have attached a latest scan result from sysdig.
Wanted to know is there any plan to fix these Vulnerabilities.

docker_io_codercom_code-server_latest.pdf

[jsjoeio]

@niteshk9894 Thanks for mentioning. Can you provide steps to reproduce this list locally? I'm not too familiar with Sysdig.

We have some security checks already in place in CI which should catch most things.

[niteshk9894]

Hi @jsjoeio ,
I had sysdig account created and ran an image scan on codercom/code-server dockerhub.

I even ran trivy scan on codercom/code-server:latest it shows
Total: 322 (UNKNOWN: 5, LOW: 140, MEDIUM: 41, HIGH: 109, CRITICAL: 27)

[niteshk9894]

@jsjoeio you can create a sysdig trail account and scan image there.

[jsjoeio]

Thanks for the details! My teammate (@jawnsy) just re-published the images to Docker. That may resolve these issues.

I've also opened an issue to add trivvy back into our CI flow so it catches these like it used to. Thanks again for bringing this up!

[niteshk9894]

Thanks @jsjoeio for raising an issue it would be really helpful if these vulnerabilities can be resolved.

[jawnsy]

The remaining vulnerabilities will be fixed once they are resolved in Debian and we re-build our image. If you run trivy image --severity=HIGH,CRITICAL --ignore-unfixed codercom/code-server:latest, then the list should now be blank:

$ trivy image --severity=HIGH,CRITICAL --ignore-unfixed codercom/code-server:latest
2022-02-24T16:02:01.402Z        INFO    Detected OS: debian
2022-02-24T16:02:01.402Z        INFO    Detecting Debian vulnerabilities...
2022-02-24T16:02:01.424Z        INFO    Number of language-specific files: 3
2022-02-24T16:02:01.424Z        INFO    Detecting gobinary vulnerabilities...

codercom/code-server:latest (debian 11.2)
=========================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/lib/code-server/lib/coder-cloud-agent (gobinary)
====================================================
Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/fixuid (gobinary)
===============================
Total: 0 (HIGH: 0, CRITICAL: 0)