DL3005 is wrong: security updates should be in most Dockerfiles

[itamarst]

https://github.com/hadolint/hadolint/wiki/DL3005 suggests not running package updates. This is a bad idea, because it means many users won't get security updates installed.

For example, the official CentOS images only get sregenerated every few months. At time of filing this issue, the centos:8 image hasn't been updated for 3 months (https://hub.docker.com/_/centos?tab=tags&page=1&ordering=last_updated). (Yes, CentOS is EOLing soon, but that's irrelevant to this point).

Similarly, while official Python Docker do get rebuilt more often, there are often windows of a few days where Debian has released security updates, but images haven't been regenerated. Without apt-get upgrade, those updates will not get installed in a timely manner.

[acdha]

Seconding this: I frequently come across containers full of CVEs whose authors were surprised to learn that using hadolint had caused them to make their project insecure. There could be a stronger argument for using upgrade but not dist-upgrade but that still really doesn't address the core challenge: updates are a fact of life and the solution is to have testing rather than avoiding them; if you're concerned about change volume you can make your own base image for your projects but there's no world in which “don't install security updates for a running server” is prudent.

[itamarst]

I wrote up a detailed explanation of why this needs to be fixed: https://pythonspeed.com/articles/security-updates-in-docker/

[SuperSandro2000]

First of all you should pull a new base image before building to avoid using a very old one which updates basically everything and blows up the size of the image. Then you can probably just run apt update && apt upgrade and clean to get the latest ~3 updates. If you do not pull before you mind end up updating a lot of stuff and for bigger images this could mean a few gigabytes. If you look at the node container you also get an imagemagick update right now which you probably want.

But even if you upgrade all packages in a container it is still full of CVEs which are not fixed in the package repositories.

The Docker FAQ refers to this unprivileged https://docs.docker.com/engine/reference/run/#security-configuration and not an unprivileged user.

The FAQ also contains If you know there is a particular package, foo, that needs to be updated, use apt-get install -y foo to update automatically.
So if you know there is a CVE in zstd then you update that.

[itamarst]

Then you can probably just run apt update && apt upgrade and clean to get the latest ~3 updates

The whole point of this issue is that if you do apt-get upgrade hadolint will complain. Which is bad.

Re "still full of CVEs" after running updates, that's mostly about broken security scanners—see https://pythonspeed.com/articles/docker-security-scanner/ for an explanation of what's going on.

[acdha]

First of all you should pull a new base image before building to avoid using a very old one which updates basically everything and blows up the size of the image.

This misunderstanding is core to why this unsafe advice has lingered for so many years and it’s really important to understand why it’s counterproductive: it is better to offer advice where the failure mode is wasting a little disk space rather than shipping a known vulnerability, and the assumptions that are made at the time a Dockerfile is edited aren’t guaranteed to be true forever.

If you use a base image which is updated promptly after patches are released, apt-get update won’t change the image size much because everything except the absolute latest patches will already be installed. Following this advice will have no meaningful impact.

When updates do change the image size, it means that (like almost all images) it isn’t updated frequently — and it’s not gigabytes unless you’re using an unusually large number of packages and they all have vulnerabilities. Following this advice will lead to you shipping known problems.

When the assumption behind this rule that the base image will handle it is valid, it has the least benefit. This is irresponsible security advice since the people least equipped to deal with it will be exposed to the greatest risk.

[lorenzo]

I'm genuinely wondering what the best advise we could give is. It seems like the current status of docker is dire as there is no good answer on how to keep packages up to date. This is the summary of my current understanding:

• In spirit, it is the job of base images to keep up to date and patch vulnerabilities.
• Therefore, it is better to have a predictable build, which is achieved by pinning version and not blindly upgrading anything.
• In practice, the popular base images rarely (never?) do this. So the above recommendation is actually harmful
• Yet, recommending doing upgrades also has major caveats that won't actually mean you are getting the security patches you should. I can think of several reasons, most of them involving the docker cache. If you have cached images, then apt-get upgrade may never run anyways!

I wonder now if we could do something like keeping a list of known images with vulnerabilities (like centos:8) and reverse the meaning of the rule to actually recommend running the upgrade... but how do we recommend bypassing the cache?

I have to admit that I'm not great at discussing security-related topics, so I'd like not to come up with my own standards and just trust recommendations from docker and owasp. My thinking is that this issue should be taken there and if there is a new recommendation we can easily implement it here.

[itamarst]

The way people work around Docker caching is by rebuilding images without caching daily/weekly/on security update. See https://pythonspeed.com/articles/docker-cache-insecure-images/ for writeup, but this is what people I've talked to do.

The big picture here is that creating packages is a process. You need to do some activity on ongoing basis to get security updates, either apt-get upgrade + rebuild without caching on regular basis, or tracking security updates and updating pins. Ensuring those processes happen is clearly out of scope for hadolint, but hadolint shouldn't warn people against using a process that does actually work.

OWASP has deleted the bad recommendation: OWASP/CheatSheetSeries#614 (comment). Specifically they said "Good call, what a scary mistake on our end, my apologies".

I have opened a pull request against Docker documentation, and they have just accepted it: docker/docs#12571; public site hasn't changed yet, but I assume it will be at some point.

So both OWASP and Docker no longer recommend this.

[lorenzo]

In the light of those ammends, I'm happy to remove that rule. Does anyone want to contribute the change to hadolint?

[itamarst]

I'm not feeling so well this week, but can take a look next week and see if I can figure it out. I don't really know Haskell but deleting code is easier (and probably want to leave in warning for apt-get dist-upgrade because that's definitely a bad idea for reasons unrelated to security).

[lorenzo]

I'm leaving this open for contributors to take it since it is a low-effort task that may be a great first task for people wanting to get involved.

Just need to delete the word upgrade from this file: https://github.com/hadolint/hadolint/blob/master/src/Hadolint/Rule/DL3005.hs

and fix the test here https://github.com/hadolint/hadolint/blob/master/test/Spec.hs#L330

[maxfactor1]

Should take it a step further, in my opinion, and require package update statements in Dockerfiles.

[itamarst]

The problem is that Docker packaging is a process, with different ways to implement that process. You can for example install pinned versions of system packages, and whenever a security update comes out update the pinning, or alternatively you can apt-get upgrade. Both will get you security updates, but with different tradeoffs.

As a linter, hadolint is limited in how well it can understand what the user is trying to achieve. All it has is an artifact, it does not and can not understand whether you've chosen the first process, the second process, your base image does security updates already, or you just screwed up and don't have a security update process at all.

And perhaps there is an argument for complaining if it doesn't see upgrade, and the user can put an override in saying 'no actually I'm doing pinned updates'. But... big picture there is only so much hadolint can do given the complexity of the domain.