I am assuming that most if not all of those vulnerabilities are reported on packages that are installed in the Ubuntu base image, not Couchbase Server itself. In most cases those are not exploitable vulnerabilities because the container will not run any processes from those packages.
If you would like to improve the report, a couple ideas. First, check that you’ve locally pulled the latest ubuntu:16.04 base image before building your own image (run “docker pull ubuntu:16.04”). That will ensure that you have the latest security fixes from Ubuntu.
If that doesn’t reduce the number of reports to your liking, you could try modifying the Dockerfile to be based on Ubuntu 18.04. To do this, you would need to also change the ARG CB_PACKAGE line to refer to ubuntu18.04, as well as the ARG CB_SHA256 line to be c4951cdab01759020444e4648023721ae3a333257591252475d34d5fc6ac8857 . Finally, add the following line:
RUN cp -a /etc/runit/2 /usr/sbin/runsvdir-start
somewhere after the initial “RUN apt-get update…” command near the top of the file. I just tested with these changes and the image builds and runs successfully. Be aware this isn’t “supported” as we don’t run our Quality Assurance process on this configuration. But I presume that Ubuntu 18.04 will have fewer concerning security vulnerabilities to report.
I’ve tried with Ubuntu 18:04 version , which gave us the satisfactory result compared to earlier .
Status: Medium
Critical and High are Zero.
Medium -5
LOW- 50
Overall status : Zero Fixable.
I’ve a doubt that ,Is this image is compatible with alpine as base image ,since I see most of security fixes will be very less/zero in alpine version. So I want a give a try with alpine. Please suggest me on the same.
The Alpine base image is unlikely to work, as Server itself and many of the libraries we build for it depend on glibc whereas Alpine use musl libc. I’ve seen some projects to bring glibc into Alpine, eg. https://hub.docker.com/r/frolvlad/alpine-glibc/ , which you’re welcome to try, but I fear you may be in for some strange runtime linker problems. You would also need to find a way to convert or extract one of our RPM or DEB files, as I don’t believe either of those package managers exists on Alpine. One small piece of good news is that the Server RPM has relatively few package dependencies. However there are a number of other steps in our current Dockerfile which would require significant porting to work in an Alpine environment as well. It’d be a pretty good amount of effort and I can’t promise it would ever work.
I have a given a try on changing base image to alpine . I was able to resolve compilation errors for the respective layers.
As you told while extracting .deb file got an error related to dependency packages .PFB error details.
couchbase-server-community:amd64 depends on libc6 (>= 2.25).
couchbase-server-community:amd64 depends on libtinfo5 (>= 6).
couchbase-server-community:amd64 depends on lsb-base (>= 3.2).
couchbase-server-community:amd64 depends on bzip2.
couchbase-server-community:amd64 depends on tar.
error processing packages
dependency problems. error encountered while processing.
Thanks,
kamesh.
Just wanna update on this. please suggest on this.