Tool chain security dependencies in containers
Daniel Nashed – 17 May 2025 15:02:09
When building your own software from scratch with a small number of dependencies like OpenSSL, LibCurl on current Linux versions is straightforward.
But as soon you are adding external projects to your stack, would bring up more dependencies which can raise security challenges.
In the container world there is strict vulnerability scanning. Stacks like https://www.chainguard.dev/ provide great options to keep the stack you are building on secure.
But you might have external projects you rely on. You usually don't want to build everything from scratch.
Example for a dependency
The Prometheus Node Exporter is an optional component of the Domino container image.
It turns out it is built with Go, which can introduce vulnerabilities when they are not up to date.
Even if the project manages all it's dependencies, and older version of the application might have older versions for example of Go statically linked.
Linking Go statically is a common practice to not install the run-time environment on the target environment.
In my particular case the Node Exporter was outdated and a newer version comes with a newer Go run-time statically linked.
Container scan tools
The good news is that Docker Scout and other vulnerability testing shows up the CVEs and in which version they are fixed.
glibc is dynamically linked and patching depending on the run-time. For a Linux machine this would be a normal update.
For a container image it would mean re-building the image with the latest Linux updates.
As a good practice each software should show the version of the tool chain it was developed and is running on.
In this example you see the updated run-time for the current Node Exporter, which fixes the reported CVEs.
Conclusion
- As a developer you have to be ware of your dependencies and closely watch them
- If it is reasonable to link dynamically, it can make a lot of sense
- But if you expect the target has older versions, it might be better to include them
(for example Domino bundles the latest versions of OpenSSL, which are usually never than what Linux ships)
- When running containers you should scan the images and ensure you are running the latest versions
- Making it easy for an admin to query all the dependencies is important as you see from the Node Exporter example
I have just updated the container image to use the latest Node Exporter.
Example Node Exporter
node_exporter --version
node_exporter, version 1.9.1 (branch: HEAD, revision: f2ec547b49af53815038a50265aa2adcd1275959)
build user: root@7023beaa563a
build date: 20250401-15:19:01
go version: go1.23.7
platform: linux/amd64
- Comments [0]
![[HCL Domino]](../lotus-domino.gif){kind=small}
![[Domino on Linux]](../domino-linux.gif){kind=small}
![[Nash!Com]](../nashcom.gif){kind=small}
![[Daniel Nashed]](../daniel-nsh.gif){kind=small}