0

We have an ASP.NET Core Docker image built via the default FROM mcr.microsoft.com/dotnet/aspnet:6.0 AS base in the Dockerfile.

We have a weekly build. Our vulnerability scan raises a different issue each build for low-level Debian libraries. E.g. Week1: issue about libraryA v1. It is recommending us to update libraryA to v2. But the following week, when we build a new Docker image, ASPNET automatically comes with v2 of libraryA. We didn't even have to do something about libraryA. But then, new vulnerabilities are reported, which will then be automatically fixed in the coming weeks.

Is there a way to tell ASP to use a specific OS version?

From the ASPNET dockerhub,

https://hub.docker.com/_/microsoft-dotnet-aspnet/

These are the tags for Debian11:

6.0.13-bullseye-slim-amd64, 6.0-bullseye-slim-amd64, 6.0.13-bullseye-slim, 6.0-bullseye-slim, 6.0.13, 6.0

Our build last November was using 6.0.11 by checking the docker history of the image. It reported some issue about krb5/libgssapi-krb5-2, recommending it to upgrade to version 1.18.3-6+deb11u3. Our docker image last November was only using deb11u2 when I docker-exec'ed into it.

Today (January), if I try the following FROM to force the specific ASPNET version, the library is automatically updated to deb11u3 out of the box.

• FROM mcr.microsoft.com/dotnet/aspnet:6.0.11 AS base
• FROM mcr.microsoft.com/dotnet/aspnet:6.0.11-bullseye-slim-amd64 AS base

I am thinking of baselining a specific ASPNET or Debian version, and I will just manually address the vulnerability reports by using apt-get of those libraries. But from my testing above, it seems like Microsoft automatically updates the underlying OS even if I specify a specific version in the Dockerfile's FROM.

Any clue how to tell ASPNET to use a specific OS version? (Sorry Docker newbie here)

Improve this question

1 Answer 1

Reset to default
2

The aspnet Dockerfiles aren't based on pinned versions of their dependencies, so even if you pin the aspnet version you want by using 6.0.13-bullseye-slim-amd64, if Microsoft rebuild it and re-publish it, some of the underlying libraries might have been updated.

To completely pin what version of the image you want, you can use the digest in your FROM statements instead of a tag. That way, you won't get any updates at all and will always point to the exact version of the image you want.

You use it like this

FROM mcr.microsoft.com/dotnet/aspnet@sha256:5cf4aaa3fceb9bca683d56213873c0e418133a1ed36886a629bca266fb12e41b

You can find the digest by running docker inspect image <image>. The digest is in the 'RepoDigests' field. The digest is also printed when you do docker pull.

You should then add a comment in the Dockerfile about what tag the digest refers to, since that's not obvious anymore.

Let me add that this might not be a good idea to do. You're denying yourself security updates that could fix important vulnerabilities. It might be worth looking into how you can have a smooth workflow and also get these updates at the same time.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you very much @Hans Just to clarify, docker inspect image should be on the aspnet core image from the machine where I ran docker build last November. The RepoDigests from this machine will result to the outdated library from November.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.