Vulnerability Issues for image openjdk:8-jdk-slim-buster

[karthiksonti24]

Hi Team, I'm facing this issue while doing vulnerability checks for this image openjdk:8-jdk-slim-buster. Can someone suggest me a fix for this issue? Attached in file. logs.txt

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves And https://github.com/docker-library/postgres/issues/286#issuecomment-302512767 docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[karthiksonti24]

@wglambert Thanks for the information about this. Can you resolve them and give us the latest images?

[wglambert]

https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-345386 Systemd isn't in the container

https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-345391 Same as above

https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100 https://security-tracker.debian.org/tracker/CVE-2019-12290 Buster is still vulnerable so there's nothing actionable for us to do, it's also considered a minor issue

https://snyk.io/vuln/SNYK-DEBIAN10-GNUTLS28-609778 https://security-tracker.debian.org/tracker/CVE-2020-24659 Same as above

https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559488 https://security-tracker.debian.org/tracker/CVE-2020-1751 Same as above It's also unique to the PowerPC architecture which we don't have a variant for

https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559493 https://security-tracker.debian.org/tracker/CVE-2020-1752

Directory paths containing an initial tilde followed by a valid username were affected by this issue

Buster is still vulnerable so there's nothing actionable for us to do, it's also considered a minor issue

https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558 https://security-tracker.debian.org/tracker/CVE-2018-12886 Buster is still vulnerable so there's nothing actionable for us to do It's listed as "Too intrusive to backport"

https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-469413 https://security-tracker.debian.org/tracker/CVE-2019-15847 Buster is still vulnerable so there's nothing actionable for us to do, it's also considered a minor issue that affects only POWER9 binaries

All packages in the container are at their latest version

$ docker run -it --rm openjdk:8-jdk-slim-buster bash
root@2cda9447dcdf:/# apt update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64 Packages [268 kB]
Get:3 http://deb.debian.org/debian buster InRelease [121 kB]
Get:4 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7860 B]
Fetched 8422 kB in 2s (4393 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

root@2cda9447dcdf:/# apt list --upgradeable
Listing... Done