dmikusa
commented
1 month ago Our policy on updating the stacks (build & run images) is here -> https://paketo.io/docs/concepts/stacks/#when-are-paketo-stacks-updated
- Make sure you're using the latest images (i.e. you don't have any versions pinned)
- Make sure that you're using pull policy always when you build, this will force the build tools to check for newer images.
That should be it. If you're doing those two things, then you should get all of the latest fixes as soon as they are available.
If you have questions, you can look at the builder releases to see when the latest buildper was published. As I write this, it was about 10 hours ago. https://github.com/paketo-buildpacks/builder-jammy-tiny/releases
loewenstein
KafkaProServerless
Hello team,
Just wanted to reach out with a small issue.
We build our projects, which are springboot 3.3.0-RC1, latest as of this writing, with maven and graalvm 22.0.1 latest as of this writing. When we use
mvn -Pnative spring-boot:build-imageit pulls some buildpack images to build the final container.The final container, while working fine, has been flagged by our internal scanners with a vulnerable openssl 3.0.2 Several CVEs are for this version of openssl.
May I ask if you could help bump openssl to the latest version?
Apologies if this issue is opened to the wrong buildpacks project. But as I am building springboot native image, I am not sure if this vulnerable openssl 3.0.2 is from springboot buildpack, native image buildpack, jammy tiny buildpack, or anything else.
Thank you