R Docker Images CVE's

[Tawha]

How to build R images without being flagged by operations(for CVE's), since many R libraries are just bindings to OS applications or requires compilers to be installed?

The one based on ubuntu contains 56 CVE’s – 3 Critical and 14 High. The rstudio image itself starts with some findings and there is a warning on the Official RStudio image (https://hub.docker.com/r/rstudio/r-base) saying it is still considered experimental.

What I want is to get a clean base image for R, just like I do for other programming languages such as aws-lambda-python or other “distroless” images from Google (https://github.com/GoogleContainerTools/distroless).

Apologies if it has already been addressed before.

[eitsupi]

How about https://github.com/r-hub/r-minimal?

[eddelbuettel]

Or equivally the official r-base image -- which is the same as rocker/r-base and maintained by us -- which is driven by this Dockerfile (and it's version-frozen variants) showing that only proper / current / maintained Debian packages go in which should address any concerns you may have about CVEs.

As previusly explained in similar threads old images do not get updated as they are meant to stay to provide reproducibility. For current production and best practices, always try to use a current container.