eitsupi
commented
2 years ago How about https://github.com/r-hub/r-minimal?
Open Tawha opened 2 years ago
eitsupi
commented
2 years ago How about https://github.com/r-hub/r-minimal?
eddelbuettel
commented
2 years ago Or equivally the official r-base image -- which is the same as rocker/r-base and maintained by us -- which is driven by this Dockerfile (and it's version-frozen variants) showing that only proper / current / maintained Debian packages go in which should address any concerns you may have about CVEs.
As previusly explained in similar threads old images do not get updated as they are meant to stay to provide reproducibility. For current production and best practices, always try to use a current container.
matt-horwood-mayden
commented
2 days ago Hello 👋🏼
We have a team here using your base image and AWS inspector is flagging that your base image has 851 CVEs, I have just pulled the image and run Docker scout to see what that scores.
Is there any way to reduce the number of CVEs?
eddelbuettel
commented
2 days ago You could rebuild the container image from its Dockerfile, that would refresh against current underlying packages.
How to build R images without being flagged by operations(for CVE's), since many R libraries are just bindings to OS applications or requires compilers to be installed?
The one based on ubuntu contains 56 CVE’s – 3 Critical and 14 High. The rstudio image itself starts with some findings and there is a warning on the Official RStudio image (https://hub.docker.com/r/rstudio/r-base) saying it is still considered experimental.
What I want is to get a clean base image for R, just like I do for other programming languages such as aws-lambda-python or other “distroless” images from Google (https://github.com/GoogleContainerTools/distroless).
Apologies if it has already been addressed before.