High Severity Security Vulnerabilities in Azure Functions Docker Image

Antonio Miron 31 Reputation points
2020-05-19T07:15:31.797+00:00

We have built a Docker container image for a Linux Azure Function App running Python 3.7 using the instructions provided in:

Create a function on Linux using a custom container

Our Dockerfile is just:

FROM mcr.microsoft.com/azure-functions/python:3.0-python3.7  
  
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \  
    AzureFunctionsJobHost__Logging__Console__IsEnabled=true  
  
COPY requirements.txt /  
RUN pip install -r /requirements.txt  
  
COPY . /home/site/wwwroot  

We uploaded our Docker image to JFrog Artifactory and had it scanned with XRay. The results reported over 35 critical security vulnerabilities, all of which are related to the debian:buster:linux:4.19.98-1 packages.

8442-docker-azurefunctioncustom-117176-violations-expor.txt

Are these false positives? Safe to ignore? Or are we using the wrong (or old) base image for the Azure Function Docker image?

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
4,119 questions
{count} vote

1 answer

Sort by: Most helpful
  1. MayankBargali-MSFT 67,691 Reputation points
    2020-07-16T03:30:31.117+00:00

    Hi @Antonio Miron

    Looking into the attachment, I can see that there is an issue with CVEs mentioned in violations export file and this issue is with Debian. The underlying image that is used for functions basically has this issue.
    There are many reasons for CVEs to still be shown in production images and you can read this for information: https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

    If any CVEs that you think might affect you. You can track them using this link: https://security-tracker.debian.org/tracker/
    Further, you can raise the issue with Debian for specific CVEs

    Update:
    Product group is in the middle of releasing an updated image with fixes for all the actionable Debian vulnerabilities. The expected date to be completed is next week if there are no issues.

    You can rebuild your custom docker image by end of next week so you should get the updated base image.
    As, some of the Debian vulnerabilities do not have patches available yet and they would remain unpatched with the new image as well.

    If you have any concerns on the docker image you can always create the issue here: https://github.com/Azure/azure-functions-docker