Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Critical Vulnerabilities Cypress/Included (Recent Tags) #1034

Closed
jessedelira opened this issue Apr 16, 2024 · 3 comments
Closed

Multiple Critical Vulnerabilities Cypress/Included (Recent Tags) #1034

jessedelira opened this issue Apr 16, 2024 · 3 comments

Comments

@jessedelira
Copy link

Hello

While trying to use recent cypress/included Docker images for a project I saw that the AWS ECR scan of the image were showing over 100 vulnerabilities (cypress/included:13.6.1). I thought that this might be a mistake and checked Docker Desktop and saw about the same number of vulnerabilities (attached, P1)

After this I decided to try and look at something more recent. I found the image cypress/included:13.7.3 and thought that since it was published 5 days ago that it might have resolved these issues. Unfortunately, it had about the same number of vulnerabilities as the previous version (attached, P2).

At this point, I wanted to try and edit the original docker image to see if I could fix the vulnerabilities with the guides from Docker Scout. When searching in the cypress-docker-images repo, I couldn't find any of the version 13 images that are on Docker Hub.

Finally I tried the latest & cypress/included:cypress-13.7.3-node-20.12.2-chrome-123.0.6312.122-1-ff-124.0.2-edge-123.0.2420.81-1 tags for this image they were also had a high number of critical vulnerabilities.

P1

image

P2

image
@jessedelira jessedelira changed the title Multiple Critical Vulnerabilities Cypress/Included Multiple Critical Vulnerabilities Cypress/Included (Recent Tags) Apr 16, 2024
@jennifer-shehane
Copy link
Member

@jessedelira We have a note about security scanning in our Readme. We'll be happy to look at anything originating from cypress and are always welcome to accept PRs.

📍Cypress Docker images are offered as a convenience measure. The goal is to offer Node.js, Browser and Cypress versions to streamline running tests in CI or other non-public, sandboxed environments.

Some preparations and optimizations are not included. For example, given the near infinite permutations, images are not monitored for security vulnerabilities. Additionally, once images are published they are considered immutable and cannot be patched. That means (hypothetically) older images could become more vulnerable over time.

This means they should not be used for production deployment and security scans should be performed as-needed by users of these images.

@jessedelira
Copy link
Author

@jennifer-shehane I didn't catch that information in the Readme, thanks for pointing that out! Could you shed any light on why recent tags for the cypress/included tags aren't stored in this repo anymore or are they stored in another repo here?

@jennifer-shehane
Copy link
Member

The intent of that change was to simplify our development process.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jennifer-shehane @jessedelira