Open DavidACastagna opened 4 months ago
Kroki image is built on top of Eclipse temurin image: https://hub.docker.com/_/eclipse-temurin/tags?page=1&name=17.0.10_7-jre
Latest version has fewer vulnerabilities but low/medium are, as the name suggests, difficult to exploit or have limited impact. You can bump the version in https://github.com/yuzutech/kroki/blob/a5f21c24c16d0beef5eddfbfdf3b5910df2ec711/server/ops/docker/jdk17-jammy/Dockerfile#L235C22-L235C40
We have an internal process that uses "Trivy" to scan for vulnerabilities. According to that tool 0.24.1 has a lot of vulnerabilities in it. Not sure exactly what it takes to fix this but can we get an image with these addressed for those that have fixes? (Note: I logged a different ticket some time ago related to a couple other vulnerabilities that showed up in the same scan - but those were explained. This ticket is about the ones below:)
The full report: kroki-0.24.1.trivy.json
The summary: