Closed pratapagiri closed 5 years ago
Hi,
The amazoncorretto
image is derived from the amazonlinux
image. I'm one of the maintainers of that image.
This answer is covered in the Docker Library FAQ ("Why does my security scanner show that an image has CVEs?") and in https://github.com/aws/amazon-linux-docker-images/issues/8.
The gist of the answer is that Docker's scanning infrastructure is based on versions of packages in other RPM-based Linux distros and their security data, which is different from Amazon Linux's security data. We don't have any input into how the security scanner works.
For information regarding vulnerabilities fixed in Amazon Linux, refer to https://alas.aws.amazon.com/. This, and the updateinfo.xml.gz that is part of the software repositories, is the only authoritative reference for security vulnerability information in Amazon Linux.
Furthermore if you have questions about specific vulnerabilities in the base OS that are not listed on the Amazon Linux Security Center, please reach out to AWS Support or ask a question on our forums; in the specific case where it's a package distributed in the amazonlinux
or amazoncorretto
images, you may file an issue on https://github.com/aws/amazon-linux-docker-images.
Please let me know if you have any further questions, but I believe the above information explains everything.
@EricEdens If you can pin a closed issue, I'd recommend pinning this :)
Docker-security scanning listed many major and critical vulnerabilities at: https://hub.docker.com/_/amazoncorretto/scans/library/amazoncorretto/8
Is there a plan to address these in the official image?