corretto / corretto-8-docker

Dockerfiles for Amazon Corretto 8
MIT No Attribution
195 stars 40 forks source link

Docker security scanning vulnerabilities #26

Closed pratapagiri closed 5 years ago

pratapagiri commented 5 years ago

Docker-security scanning listed many major and critical vulnerabilities at: https://hub.docker.com/_/amazoncorretto/scans/library/amazoncorretto/8

Is there a plan to address these in the official image?

iliana commented 5 years ago

Hi,

The amazoncorretto image is derived from the amazonlinux image. I'm one of the maintainers of that image.

This answer is covered in the Docker Library FAQ ("Why does my security scanner show that an image has CVEs?") and in https://github.com/aws/amazon-linux-docker-images/issues/8.

The gist of the answer is that Docker's scanning infrastructure is based on versions of packages in other RPM-based Linux distros and their security data, which is different from Amazon Linux's security data. We don't have any input into how the security scanner works.

For information regarding vulnerabilities fixed in Amazon Linux, refer to https://alas.aws.amazon.com/. This, and the updateinfo.xml.gz that is part of the software repositories, is the only authoritative reference for security vulnerability information in Amazon Linux.

Furthermore if you have questions about specific vulnerabilities in the base OS that are not listed on the Amazon Linux Security Center, please reach out to AWS Support or ask a question on our forums; in the specific case where it's a package distributed in the amazonlinux or amazoncorretto images, you may file an issue on https://github.com/aws/amazon-linux-docker-images.

Please let me know if you have any further questions, but I believe the above information explains everything.

@EricEdens If you can pin a closed issue, I'd recommend pinning this :)