197 vulnerabilities detected in 3.1.2 #48
Comments
|
@PacoVK @rdmueller Can you please comment on this issue or are there no plans to fix this? I just scanned 3.2.2 and these are the results: Some recommendation:
I mirror all public images on my private registry on a daily basis so that I can also get updates for existing images with fixed tags. |
|
Hey @Goldich thanks for reporting! Let me try to answer some of the questions to shed a bit light in here:
Sure, i review the docker hub scans from time to time but the most findings that i can see are not Docker Image related, but direct peer dependencies of docToolchain. As of now docToolchain uses many other Gradle plugins that are less frequently updated. Most of the vulnerabilities i can see are related to those plugins, we rely on.
We have dependabot, but there seems something not really working properly. I need to investigate, although i think the main issue here are the peer dependencies
That's interessting, can you tell me how this reduces the overall findings? I think the new layer could only fix OS dependencies, right? |
Dear devs,
can you please consider using a dependency bot like renovate to update the dependencies?
Due to a corporate rule, I mirror the docker image on our internal registry. We are using Quay and it has an inbuilt security scanner. Unfortunately, there is no reporting feature, so I am pasting it here directly in. Please note that the report is based on the image tag
v3.1.2. Quay fixes most of the dependencies automatically by introducing new docker layers with updated package versions, but I guess it will help everyone if you do the fixes directly in the image.Summary
Quay Security Scanner has detected 197 vulnerabilities.
Patches are available for 193 vulnerabilities.
24 Critical-level vulnerabilities.
88 High-level vulnerabilities.
55 Medium-level vulnerabilities.
25 Low-level vulnerabilities.
5 Unknown-level vulnerabilities.
Attachment with details
Sec_report.pdf
The text was updated successfully, but these errors were encountered: