Open KafkaProServerless opened 1 month ago
Our policy on updating the stacks (build & run images) is here -> https://paketo.io/docs/concepts/stacks/#when-are-paketo-stacks-updated
That should be it. If you're doing those two things, then you should get all of the latest fixes as soon as they are available.
If you have questions, you can look at the builder releases to see when the latest buildper was published. As I write this, it was about 10 hours ago. https://github.com/paketo-buildpacks/builder-jammy-tiny/releases
@KafkaProServerless If you us the latest builder version, then the most likely issue at hand is, that your scanner doesn't recognise Ubuntu patch versions and just reports vulnerabilities for the base OpenSSL 3.0.2.
Checking both of your comments. Thanks a lot
Hello team,
Just wanted to reach out with a small issue.
We build our projects, which are springboot 3.3.0-RC1, latest as of this writing, with maven and graalvm 22.0.1 latest as of this writing. When we use
mvn -Pnative spring-boot:build-image
it pulls some buildpack images to build the final container.The final container, while working fine, has been flagged by our internal scanners with a vulnerable openssl 3.0.2 Several CVEs are for this version of openssl.
May I ask if you could help bump openssl to the latest version?
Apologies if this issue is opened to the wrong buildpacks project. But as I am building springboot native image, I am not sure if this vulnerable openssl 3.0.2 is from springboot buildpack, native image buildpack, jammy tiny buildpack, or anything else.
Thank you