I have a question about the operation of the environment deployed using Mendix for Amazon EKS - Terraform module on AWS. The deployed container image is registered in Amazon ECR's Private Registry. When I checked the container with ECR's Image Scanning function (*1), I found several vulnerabilities. Let me ask you two questions. Q1. How can I fix the vulnerability? Q2. And who is responsible for fixing the image? *1 Amazon ECR Image scanning https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html
Hi Hidemasa Oiwa,
Thanks for using Mendix on Amazon EKS. The short answer to your questions is ‘it depends’ – obviously this warrants a more nuanced explanation - First, you must filter the scanning results dismissing ‘false positives’ and ‘not exploitable issues’ – easily asses it by either consulting your scanning solution documentation or searching in a security vulnerability database. Second, once you have a filtered the list of vulnerabilities, prioritize them according to their criticality. Third, you must pinpoint if the vulnerability issue is caused by an OS library, Mendix module dependency, or something you have added yourself:
For OS Libraries, we depend on Red Hat – our base image – to address those issues and we continuously create new images to carry on the latest security patches delivered by them. You are responsible to keep up to date your app containers if you want to have the latest security patches
Libraries dependencies from Modules modules: Please check the corresponding entry in the Marketplace for updates or report the issue to the maintainer. A collective effort helps to keep the security posture of the Mendix ecosystem.
Issues introduced by your app changes: you could add libraries that will result in security vulnerabilities. Please consider using the latest version of any library and check the documentation for any known vulnerabilities before you consider including it in your project. And using a security scanner is another good measure to proactively detect any security issue early on.
Keeping your software and services secured is a collective effort in which we all play an important role.
Hope this post addresses your questions.
Carlos Salinas Gancedo
Carlos is best placed to answer this, but he’s out till Aug 30, so please be patient.