Closed hmarzooq closed 1 year ago
See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images). In OpenJDK's case this has been in limbo because of https://github.com/docker-library/openjdk/issues/505. CVE severity may differ significantly in a containerized environment, many cve's including critical severity ones are sometimes not a significant vulnerability as they may rely on a specific component or vector of attack that isn't applicable in a containerized environment, like the examples in https://github.com/docker-library/openjdk/issues/449#issuecomment-763027011
Bookworm is unstable/testing, we only use stable releases of distributions https://www.debian.org/releases/
Right now OpenJDK has an update for openssl.
$ docker run -it --rm openjdk:8-jre bash
root@812d83d412b1:/# apt update && apt list --upgradable
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://security.debian.org/debian-security bullseye-security InRelease [44.1 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [39.4 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [160 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8182 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [2592 B]
Fetched 8545 kB in 1s (6113 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
2 packages can be upgraded. Run 'apt list --upgradable' to see them.
Listing... Done
libssl1.1/stable-security 1.1.1n-0+deb11u3 amd64 [upgradable from: 1.1.1n-0+deb11u2]
openssl/stable-security 1.1.1n-0+deb11u3 amd64 [upgradable from: 1.1.1n-0+deb11u2]
If you wanted to update these packages in the meantime you could make a derivative Dockerfile
Thanks, your response is quite comprehensive and understandable. Just a quick question as well: As you've referenced: #505 - then what alternative images you could refer instead of openjdk:8-jre
? Since our application is bound to use JDK-8, therefore, I'm more concerned around this question.
You could try Temurin or AdoptOpenJDK?
For the Tomcat image we went with Temurin https://github.com/docker-library/tomcat/pull/265
See also https://hub.docker.com/_/openjdk:
Some examples of other Official Image alternatives (listed in alphabetical order with no intentional or implied preference):
Hi,
Trivy has reported below 5 CVE's as CRITICAL vulnerability on
openjdk:8-jre
CVE-2021-2294, CVE-2019-8457, CVE-2022-27404, CVE-2022-1586, CVE-2022-1587. These all are from Debian side. And fortunately despite being marked as Critical, they're actually either false positive and/or categorised as Minor issue by Debian. But I've few queries here, and I would appreciate if I can get some clarification on these from
openjdk:8-jre
image maintainers:1: What is the identified vulnerability is CRITICAL and is also not marked as Minor by Debian? In other words, if CVE really needs to be addressed, then what is policy from
openjdk:8-jre
side to get the fix from Debian? Is there a timeframe in which we can expect the fix to be reflected inopenjdk:8-jre
image?2: Except CVE-2021-2294, all the remaining CVE's are shown fixed in
bookworm, sid
release of Debian. But I'm not able to find anyopenjdk-8
which is using base image frombookworm, sid
release of Debian. Any advise on these lines ? As our application uses JDK8 and therefore we're bound to stick to JDK8 only. Therefore, what options we've fromopenjdk:8-jre
image side when it comes to specific release of Debian?Thank you!