ubuntu-docker-images team mailing list archive

[Alex Murray <alex.murray@xxxxxxxxxxxxx>]

On Tue, 2023-12-05 at 11:23:02 -0300, Emilia Torino wrote:

> Hi Athos,
>
>
> On Tue, Dec 5, 2023 at 8:56 AM Athos Ribeiro <athos.ribeiro@xxxxxxxxxxxxx>
> wrote:
>
>> On Tue, Dec 05, 2023 at 05:06:24AM +0000,
>> security-team-toolbox-bot@xxxxxxxxxxxxx wrote:
>> >New CVEs affecting packages used to build upstream based rocks have been
>> >created in the Ubuntu CVE tracker:
>> >
>> >* https://github.com/hashicorp/consul: CVE-2023-5332
>> >
>> >Please review your rock to understand if it is affected by these CVEs.
>> >
>> >Thank you for your rock and for attending to this matter.
>> >
>> >References:
>> >https://git.launchpad.net/ubuntu-cve-tracker/tree/active/CVE-2023-5332
>>
>> Hi Emilia,
>>
>> I suppose these warnings used to have the potentially affected image
>> names in the title IIRC. Is this right?
>
>
> Yes you are correct. But at some point we changed it since the list of
> upstream based rocks was growing (and remember we are not really inspecting
> them as we do for deb based ones).
>
>
>> If so, could we have that
>> feature back? If not, would it be possible to add that?
>>
>
> Honestly it won't be that easy/quick. This whole service should be improved
> when the fetch service is ready. So we can either wait for it or plan to
> improve what we have today sooner... @Alex Murray
> <alex.murray@xxxxxxxxxxxxx> thoughts?

As Emi said, since we are not really inspecting the images themselves,
providing the image name would likely be misleading and from what I
understand could potentially lead to an assumption that a given ROCK was
not affected when it infact may be. As such, whilst it is more work on
your side to manually review these and match them up against the images
which you publish, it should avoid missing any potential CVEs. So I
would prefer to keep things as they are until we have a more reliable
source of data to work from via the fetch service.

>
>
>>
>> --
>> Athos Ribeiro
>>