Is there a Jenkins Docker image without security vulnerabilities?

Using Jenkins
1

I have tried all these Jenkins docker images and scanned them from security vulnerabilities, but unfortunately they all have lots of vulnerabilities even the alpine tag

# FROM jenkins/jenkins:lts-alpine-jdk17
# FROM jenkins/jenkins:lts-alpine
FROM jenkins/jenkins:alpine
# FROM jenkins/jenkins:2.332.3-jdk11
# FROM jenkins/jenkins:lts
# FROM jenkins/jenkins:latest
# FROM bitnami/jenkins:latest
# FROM bitnami/jenkins:2-debian-11

is there a Jenkins Docker image without security vulnerabilities ?

1 Like
2

I think your question implies “is there a Jenkins container image that contains no component that alerts my security scanner?”

If that is your question, then the answer is, “most likely not, since your security scanner is probably flagging security vulnerabilities in the container that do not affect Jenkins”.

The advanced image analysis of jenkins/jenkins:2.387.2-jdk17 as provided on hub.docker.com by Docker Scout (early access) can be used as an example of the types of reports usually raised for Jenkins container images. It reports

  • snakeyaml 1.32 affected by a CVE (that does not affect Jenkins)
  • snakeyaml 1.33 affected by a CVE (that does not affect Jenkins)
  • Jenkins core 2.387.2 claimed to be affected by 5 CVEs (that are all resolved in 2.375.4 and 2.387.1)
  • … more “vulnerabilities” that do not affect Jenkins

The Jenkins security team has issued advisories in the past for vulnerabilities in containers. The Feb 9, 2023 advisory was issued for vulnerabilities in command line git.

With regard to CVE’s in dependencies, the Jenkins security officer has said:

When a CVE has an impact to the security of Jenkins, we include it in an advisory, like CVE-2022-2048 in Jetty or CVE-2021-43859 in XStream

Instead of announcing a continuous flow of non-impacting vulnerabilities, our approach is to publish information only for those that we consider interesting, like critical score, widely spread, etc.
For them you will find an article in our blog, like: Log4Shell or SpringShell.

Of the images that you listed, one of them has known vulnerabilities that affect Jenkins. You should not use jenkins/jenkins:2.332-jdk11 since there are known vulnerabilities in that version. That is a Jenkins long term support release that was delivered 11 months ago and is affected by Jenkins security advisories:

1 Like
3

Thank you Mark for your reply, which one please do you advice me to use ?

4

If you plan to update weekly, then I recommend jenkins/jenkins:2.399-alpine-jdk17 as the starting point, then next week you’ll update to 2.400, and the week after that 2.401.

If you plan to update monthly, then I recommend jenkins/jenkins:2.387.2-alpine-jdk17, then in about a month you’ll update to 2.387.3-alpine-jdk17, then a month after that you’ll update to the next LTS release.

More information is available at:

2 Likes
6

Thanks for the detailed response.

To confirm, is the only way to validate that a vulnerability (e.g., in snakeyaml) does not affect Jenkins is to check that there is no advisory for it?

7

Yes, that is correct. The Jenkins security officer has said:

Instead of announcing a continuous flow of non-impacting vulnerabilities, our approach is to publish information only for those that we consider interesting, like critical score, widely spread, etc.
For them you will find an article in our blog, like: Log4Shell or SpringShell.

1 Like