Our team has been managing a Redash environment for some time now and we’ve recently enabled some security scanning features which have identified an alarming number of issues in Containers run from the Redash Images published in Docker Hub. I believe that these aren’t actually Redash issues, but are inherited from the chosen base Image and thus a resolution for all of these could be trivial. Hopefully some Redash admins will join.
As I mentioned, we recently enabled a Container scanner which our company’s security team has provided for us. That scanner identified hundreds of Critical/High vulnerabilities in Containers built from redash:10.1.0.b50633. These are real legitimate CVE, which are found in libraries installed in the Container, not in Redash itself.
As a test, I scanned a Container based on node:14.17, which I can see Redash uses as a base Image. The scanner again identified hundreds of issues.
I then scanned a Container based on node:14-alpine and it found 0 Critical/High vulnerabilities!
@arikfr - do you guys scan Redash Containers that are built from the Images published to Docker Hub? If so, are you also seeing hundreds of Critical/High CVE? If so, what are the plans to resolve these?
As far as I can see (which is admittedly, not everywhere) there are a lot of issues here which are inherited from node that can easily be avoided. There’s not any easy way to resolve these issues downstream. Fixing them in the published Redash Images would help tremendously.
I’ve reported this topic to the Redash security team, but I’m posting here as well for the benefit of others who may be facing the same issue in their scans.