Base Image CVEs

[wkloucek]

110 switched the base image from alpine to debian.

With Alpine we had following CVE summary (trivy image cs3org/wopiserver:v9.4.0):

cs3org/wopiserver:v9.4.0 (alpine 3.17.1)

Total: 16 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 12, CRITICAL: 0)

With Debian we now have following CVE summary (trivy image cs3org/wopiserver:v9.4.2ap)

cs3org/wopiserver:v9.4.2ap (debian 10.13)

Total: 598 (UNKNOWN: 4, LOW: 428, MEDIUM: 69, HIGH: 96, CRITICAL: 1)

From a security perspective this looks bad because the switch added:

• 1 critical
• 84 high
• 65 medium
• 428 low
• 4 unknown

Couldn't we use alpine for the non arm64 images and switch the arm64 also to alpine when the build bugs are resolved? On thing we also could do is provide a alpine based wopi server image with suffix tag like cs3org/wopiserver:v9.4.0-alpine.

[glpatcern]

This was already fixed, if you see the latest builds (I've just created a regular tag) we use alpine for amd64.

[glpatcern]

Actually, despite the code looks good, we have #113 - following up there