[vulnerabilities] minimal and standard images for 17.5 #189
Comments
|
Hello @c35sys! I'm Dosu, a bot here to help you solve bugs, answer questions, and guide you on your journey to becoming a contributor. I'm ready to assist while you wait for a human maintainer. How can I help you today? The 'minimal' and 'standard' images for PostgreSQL 17.5 are not currently available, which might be contributing to the higher number of vulnerabilities in the The process for building these images involves using Docker Bake, which allows for specific configurations and dependencies to be set, potentially reducing vulnerabilities. The 'minimal' images are based on official Debian images and include only essential PostgreSQL components, while 'standard' images extend these with additional features like PGAudit and pgvector [1]. Regarding the Go version, it seems that the vulnerabilities in the To reduce vulnerabilities, you might consider building a custom image using the Docker Bake process, specifying a newer Go version if possible. This could help mitigate some of the vulnerabilities related to Go. To continue talking to Dosu, mention @dosu. Help Dosu learn! Give it feedback: Great Response | Irrelevant Answer | Incorrect Sources | Too Verbose | Hallucination | Bug Report | Other |
|
Hello @c35sys The old set of images depending from the Docker Hub postgres images install a lot of things that we remove on the minimal and standard set, those images with the Docker Hub postgres base image are being deprecated and slowly going out. The new version 17.5 is in build process because we didn't update so it will be available. Related to security issues, sadly the base image (debian) comes with security issues that most of the time can't be fixed or require a new version of the base image, this most of the time is fixed, but it can happens that requires a build. Regards, |
|
Hello @sxd , thanks for the explanation ! I found new images for 17.5 and test the standard one: ❯ grype --by-cve ghcr.io/cloudnative-pg/postgresql:17.5-standard-bookworm | grep -E "High|Critical"
✔ Vulnerability DB [updated]
✔ Pulled image
✔ Loaded image ghcr.io/cloudnative-pg/postgresql:17.5-standard-bookworm
✔ Parsed image sha256:666ffd8e846bb963d6643ca1e4fd81359d028faf54f83adccae4faadae9044db
✔ Cataloged contents eb5b03b361e7174835dfbe709fb70c26cfab6a5ec6eae352233ba1e5aaaa6b6c
├── ✔ Packages [148 packages]
├── ✔ Executables [934 executables]
├── ✔ File metadata [10,245 locations]
└── ✔ File digests [10,245 files]
✔ Scanned for vulnerabilities [165 vulnerability matches]
├── by severity: 0 critical, 12 high, 28 medium, 17 low, 104 negligible (4 unknown)
└── by status: 0 fixed, 165 not-fixed, 0 ignored (1 dropped)
libperl5.36 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High 76.11 0.8
perl 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High 76.11 0.8
perl-base 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High 76.11 0.8
perl-modules-5.36 5.36.0-7+deb12u2 (won't fix) deb CVE-2023-31484 High 76.11 0.8
libldap-2.5-0 2.5.13+dfsg-5 (won't fix) deb CVE-2023-2953 High 76.39 0.8
libxml2 2.9.14+dfsg-1.3~deb12u1 (won't fix) deb CVE-2024-25062 High 30.75 < 0.1
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-27113 High 15.51 < 0.1
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-32415 High 13.68 < 0.1
libxml2 2.9.14+dfsg-1.3~deb12u1 (won't fix) deb CVE-2025-32414 High 9.11 < 0.1
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2022-49043 High 4.70 < 0.1
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2025-24928 High 0.41 < 0.1
libxml2 2.9.14+dfsg-1.3~deb12u1 deb CVE-2024-56171 High 0.32 < 0.1 Will they be available at each version ? As they have far less vulnerabilities, don't you think they should be the default in https://raw.githubusercontent.com/cloudnative-pg/postgres-containers/main/Debian/ClusterImageCatalog-bookworm.yaml ? Regards |
|
Hello In the README.md of this repo is explained why that's not possible yet https://github.com/cloudnative-pg/postgres-containers?tab=readme-ov-file#system-images a lot of people is not using the plugin. Regards, |
|
Thanks for the note it makes perfect sense, I missed the Barman plugin difference between them. I'll use minimal or standard images for now, thank again ! Best regards |
Hello,
I'm looking for the latest image to have less vulnerabilities in it.
If I use
postgresql:17.4-standard-bookwormorpostgresql:17.4-standard-bookwormI have the following vulnerabilities:However there are no
minimalnorstandardimages for 17.5, onlypostgresql:17.5-1-bookworm, with a lot more vulnerabilities, with critical ones:I found
postgresql:17.5-1-bookwormfrom https://raw.githubusercontent.com/cloudnative-pg/postgres-containers/main/Debian/ClusterImageCatalog-bookworm.yaml.Maybe the process for minimal and standard images is using a newer golang to create them, resulting removing all golang vulnerabilities, probably related to #126 and #132.
Any thoughts or direction ?
Thanks.
The text was updated successfully, but these errors were encountered: