search

docker-library / openjdk

Docker Official Image packaging for EA builds of OpenJDK from Oracle
http://openjdk.java.net
MIT License
1.14k stars 471 forks source link

Base image Anchore issues #490

Closed ranjith-ka closed 2 years ago

ranjith-ka commented 2 years ago

Hi team,

looks the base image still have some vulenrable things in debian:buster-slim

https://github.com/docker-library/openjdk/blob/master/8/jre/slim-buster/Dockerfile

https://security-tracker.debian.org/tracker/CVE-2018-25032

any tips to fix this ?

wglambert commented 2 years ago

You could manually update the package with apt update and apt install zlib1g and make a derived image with the updated package like

$ docker build -t openjdk:test - << EOF
FROM openjdk:slim-buster
RUN apt update && apt install -y zlib1g && rm -rf /var/lib/apt/lists/*
EOF

And if you want to then even docker tag that to overwrite the existing openjdk:slim-buster image. 

$ docker tag openjdk:test openjdk:slim-buster
$ docker run --rm openjdk:slim-buster apt list | grep -i zlib1g

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

zlib1g/now 1:1.2.11.dfsg-1+deb10u1 amd64 [installed,local]

But since the image was updated recently https://github.com/docker-library/official-images/pull/12136 and the Debian security team considers it a minor issue then it will get updated on the usual monthly cadence Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

ranjith-ka commented 2 years ago

Thanks i can underestand better now.