bjohnso5
commented
3 months ago We've cut a new image tag 2024.08 built against the latest ubuntu 22.04 cimg/base, and with some updated tooling. Please run your scan on that image and see if it closes the vulnerabilities you have reported.
Note: We also welcome PRs to fix bugs! This helps us take action faster where a bug has been identified!
For our official CircleCI Docker Convenience Image support policy, please see CircleCI docs.
This policy outlines the release, update, and deprecation policy for CircleCI Docker Convenience Images.
Describe the bug The image has multiple vulnerabilities, many of which are fixed in the upstream packages and so just a rebuild should fix them. From my count: "critical_fixable":1,"high_fixable":14,"medium_fixable":45
To Reproduce Scan the image
Expected behavior The packages to be up to date.
Workarounds It's costly, but we could run the updates and host our own images.
Screenshots and Build Links If possible, add screenshots and links to jobs to help explain your problem.
Additional context We use this image in our ci workflows and ci is a major point of exploitation.