Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-1931

Limit security risks in SonarQube Docker images



    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:



      We do our best to provide an application which doesn't have vulnerabilities.

      Still, with Docker, the risk can come from what is included in the image, from the base images to dependencies.

      Three kinds of potential vulnerabilities can be exposed:

      1. vulnerabilities in application dependencies, bundled with the SQ standard zip distributions.
      2. vulnerabilities in the Docker image dependencies, for instance installed tools like curl or X11 server.
      3. vulnerabilities in the kernel of the Docker image.

      With this MMF, we want to:

      • directly act on the next image to reduce as much as possible the surface of attack
      • put in place a reliable process to avoid potential vulnerabilities with the upcoming releases - this will of course benefit to our zip distribution.


      A process to upgrade dependencies:

      • Formalize a process, manual or automated, that ensures that dependencies are up-to-date when releasing a new version of SonarQube. Dependencies include the Java/TS 3rd-party libraries bundled with the SonarQube zip distributions, and the linux tools packaged with the Docker image.

      Audit as part of the CI process

      • Integrate a SCA (Software Composition Analysis) audit into CI pipeline
      • Enable audit of system security of the Docker image, for instance with tools like OpenSCAP, Anchore or Clair

      Act on the docker image to reduce the surface of attack

      • Use the smallest base image as possible, for instance Google Distroless. The majority of vulnerabilities are found in the
        OS layer. That's why the choice of a good base image is critical.
      • Do not package non-required tools inside the Docker image (x11, Qt, kde, apache, curl, ...)
      • Apply security best-practices, for instance:


      Later on, we may also consider adding the support for Docker/Kubernetes secrets, but it doesn't directly relate to making the image more secured.


          Issue Links



              christophe.levis Christophe Levis
              christophe.levis Christophe Levis
              0 Vote for this issue
              2 Start watching this issue