Docker Image Vulnerabilites

[corey-dawson]

Does this community work on removing docker image vulnerabilities? There are quite a few high vulnerabilities on the the r-base 4.0.5 and 3.9.6 images.

[eddelbuettel]

Well in about four weeks these are also, respectively, two and three full release cycles -- and calendar years -- old.

So no, we do not go back and scrub old containers. We do our best to provide best-in-class containers with current sources and current dependencies, and work with / rely upon the underlying distributions providing the respective containers.

For the r-base (and derived images) I am using the binary images provided by Debian which have ... myself as the maintainer for i.e. the R package so you can assume that I am au courant concerning current / past issues with R, and I do of course follow Debian Policy and incidents as whole too.

[cboettig]

@corey-dawson As Dirk says, those r-base images are tagged at the time of release and not rebuilt. Note that r-base builds on a rolling release, debian:testing, so rebuilding the Dockerfiles today won't generate the same software versions.

We do also provide access to older version of R built on stable debian releases (for R 3.x series) and stable ubuntu:focal for R 4.x over in https://github.com/rocker-org/rocker-versioned2. These should continue to receive security patches from the upstream debian/ubuntu security teams, e.g. through apt-get update etc, over the lifetime of those releases (i.e. 10 years for ubuntu:focal.) The 4.x tagged images, e.g. rocker/r-ver:4.0.5 are re-built monthly. HTH.