The ITS Container Service provides regular container image security vulnerability reports to all users who have ‘admin’ permissions in projects on https://containers.it.umich.edu. Reports contain a list of vulnerabilities for all images within your projects, the severity of each vulnerability, the version of the dependency which contains remediation, and a link to more information for each vulnerability. The reports are provided in both html and csv formats, and are sent via email to all who have 'admin' or 'edit' privileges within your OpenShift project.
See the html sample report below for more details about the information provided.
For each report you will see the following columns:
- CVE ID: This is the unique identifier for each vulnerability. The ID is a commonly referenced name used in security databases. The links in the URL field provide more information, but you can also search the public internet for more information about the vulnerability by using the CVE ID.
- Severity: Each vulnerability may be documented in several vulnerability databases (see URL field). Each database will provide its own rating for the vulnerability. This field provides the highest severity rating amongst the listed databases.
- Impacted Image: This column shows the image and tag that contains the vulnerable packages. This list will only included images in a Container Service project for which you have 'admin' or 'edit' privileges
- Vulnerable Package: The package that is the source of the vulnerability within your images. This may be a package you are explicitly installing, or one you are inheriting from another base image.
- Remediated Version: Does an updated package exist which addresses this vulnerability? If so, what is the minimum version you will be required to update to in order to no longer be impacted. Note: in some cases a fix may not be available.
- Package Location: Where within the image is the package located? This might be a location within the file system, or it may see 'pkgdb' if the library was added and maintained by a package manager.
- URL: This field links to details about the vulnerability from well-known vulnerability databases, as well as the vulnerability rating given by each source.
What Action Should I Take?
As outlined on the Container Service website, updating applications is a customer responsibility. These reports are intended to provide guidance about the priority and focus for addressing security concerns. Some suggestions for keeping applications images current can be found in the Container Images Suggestions document.
Contact the ITS Container Service be sending email to: firstname.lastname@example.org, or contact 4-HELP.