What to do about hundreds of CVE reported by scanning Redash Container?

Our team has been managing a Redash environment for some time now and we’ve recently enabled some security scanning features which have identified an alarming number of issues in Containers run from the Redash Images published in Docker Hub. I believe that these aren’t actually Redash issues, but are inherited from the chosen base Image and thus a resolution for all of these could be trivial. Hopefully some Redash admins will join.

As I mentioned, we recently enabled a Container scanner which our company’s security team has provided for us. That scanner identified hundreds of Critical/High vulnerabilities in Containers built from redash:10.1.0.b50633. These are real legitimate CVE, which are found in libraries installed in the Container, not in Redash itself.

As a test, I scanned a Container based on node:14.17, which I can see Redash uses as a base Image. The scanner again identified hundreds of issues.

I then scanned a Container based on node:14-alpine and it found 0 Critical/High vulnerabilities!

@arikfr - do you guys scan Redash Containers that are built from the Images published to Docker Hub? If so, are you also seeing hundreds of Critical/High CVE? If so, what are the plans to resolve these?

As far as I can see (which is admittedly, not everywhere) there are a lot of issues here which are inherited from node that can easily be avoided. There’s not any easy way to resolve these issues downstream. Fixing them in the published Redash Images would help tremendously.

I’ve reported this topic to the Redash security team, but I’m posting here as well for the benefit of others who may be facing the same issue in their scans.

This is a great question, I created a GitHub issue a few months ago about it too. I’ve successfully built my own redash image on an updated OS, but we are not yet running that in production. I was able to clear out all the vulnerabilities in the OS except for some curl problems that are still not patched.

However, there are some Python vulnerabilities in redash that we can’t patch on our own. I have reported those here. I realize this is not as straightforward as it likely involves code updates.

Bumping this to see if there’s any sort of official path forward from the Redash team.

Thanks for the bump. I’m seeing if we can spec out the time to prioritise this next quarter.

If you have a public repository with a successful upgrade of the OS we’d love to see this / incorporate it into the master branch.

Thanks @jesse, here’s a gist of the Dockerfile I’ve been playing with. The most significant thing is changing from buster to bullseye.