[Security] Update tomcat

jgraph / docker-drawio

Dockerized draw.io based on whichever is the most secure image at the time.

GNU General Public License v3.0

1.49k stars 361 forks source link

[Security] Update tomcat #49

Closed TheSinding closed 2 years ago

TheSinding commented 2 years ago

I've just noticed the alpine dockerfile uses a Tomcat image from 3 years ago. A Snyk analysis says there is 87 security flaws and 17 is high risk source

Is it easily updatable ?

VerscheldeAlynne commented 2 years ago

@TheSinding https://overreacted.io/npm-audit-broken-by-design/

TheSinding commented 2 years ago

@VerscheldeAlynne Yeah and as I might agree with some of that - Having an image 3 years old and with the introduction of the new Log4J CVE, it might be worth considering to update the image, don't you think ?

davidjgraph commented 2 years ago

For clarification, log4j is not a dependency of the project.

TheSinding commented 2 years ago

But it is in the Tomcat image or am I wrong ? CVE