I hope you are doing well! I want to create my own MySQL image, but when I use some versions (e.g., mysql:latest) and scan it with the Trivy tool, I find a lot of vulnerabilities categorized as critical, medium, and low.
What is the best practice for creating a secure MySQL image? My approach is to update the vulnerable packages that are marked as critical, and then I will create a new image with the commands that upgrade those vulnerable packages.
Is this the best practice, or do you have any suggestions or best practices to follow?
I think the problem here is that Oracle Corp, as they often do, are working at cross purposes with the open source community. It appears that they run their own “official” repository separate from DockerHub. The “official” repository gets security fixes. They cheerfully ignore the CVE issues on DockerHub.
So if you want an image that’s properly checked for CVE, you need to go directly to Oracle. Here’s the page to look for. If I run this in trivy, here’s what I see for the “official” image:
$ trivy image container-registry.oracle.com/mysql/community-server:latest -s CRITICAL,HIGH
2024-10-21T21:03:01-07:00 INFO Vulnerability scanning is enabled
2024-10-21T21:03:01-07:00 INFO Secret scanning is enabled
2024-10-21T21:03:01-07:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-21T21:03:01-07:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="PyYAML" version="6.0.1"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="bcrypt" version="4.1.3"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="certifi" version="2024.7.4"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="cffi" version="1.17.0"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="circuitbreaker" version="2.0.0"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="cryptography" version="42.0.8"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="oci" version="2.133.0"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="paramiko" version="3.4.0"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pyOpenSSL" version="24.2.1"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pycparser" version="2.22"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="python-dateutil" version="2.9.0.post0"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pytz" version="2024.1"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="autocommand" version="2.2.2"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="typeguard" version="4.3.0"
2024-10-21T21:03:09-07:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="six" version="1.16.0"
2024-10-21T21:03:09-07:00 INFO Detected OS family="oracle" version="9.4"
2024-10-21T21:03:09-07:00 INFO [oracle] Detecting vulnerabilities... os_version="9" pkg_num=114
2024-10-21T21:03:09-07:00 INFO Number of language-specific files num=1
2024-10-21T21:03:09-07:00 INFO [python-pkg] Detecting vulnerabilities...
container-registry.oracle.com/mysql/community-server:latest (oracle 9.4)
Total: 0 (HIGH: 0, CRITICAL: 0)
One approach I have used is took alpine as base image and setup mysql over it myself.
This way, only the required packages are installed within Image and the size is also less as compared to the official images. You can try this out.
Thank you for your reply. It’s a good approach, but you should test it thoroughly to ensure it works perfectly before using it in a production environment. If possible, could you share the Dockerfile used to build MySQL? This would help others who want to use this approach to streamline the build process.