bmuschko/gradle-docker-plugin

Software packages with vulnerabilities in the Docker container

yochaubs opened this issue · 5 comments

During the course of our security check, we found that the docker contains multiple software packages with known vulnerabilities.
CVSS score is 9.8 and that is critical.

Expected Behavior

postgresql dependency should be bumped to latest version 42.7.3 with no serious known vulnerability.

Current Behavior

By exploiting these vulnerabilities, a potential attacker could Gain control over the affected components. To determine the rating
According to CVSS, the most serious known vulnerability (CVE-2024-1597) used.

org.postgresql/postgresql 42.7.1 CVE-2024-1597

Context

Steps to Reproduce (for bugs)

Your Environment

Gradle version : 8.7

Can you specify which Docker container image you are referring to here?

hey, that dependencies was coming from gradle dependencies org.postgresql/postgresql 42.7.1 CVE-2024-1597

Sorry, I am still confused. The Postgresql dependency is likely a dependency you are adding to your own project either as direct or transitive dependency.

The screenshot you are point me to here uses a different base image that configured by the plugin by default. Also, any files you copy into the container image you are building with the plugin is your responsibility.

ok, thanks!