How to fix vulnerabilities report by AWS ECR scan

[HareshChhelanaEncora]

Hi,

We have used tomcat:8.5.77-jre11-openjdk docker image to run java application in AWS EKS. We notice AWS ECR scan reporting following vulnerabilities, can you please help or guide us to resolve following vulnerabilities at-least 1 CRITICAL and 3 HIGH?

https://security-tracker.debian.org/tracker/CVE-2022-27404
https://security-tracker.debian.org/tracker/CVE-2019-8457
https://security-tracker.debian.org/tracker/CVE-2022-1292
https://security-tracker.debian.org/tracker/CVE-2022-29155

[wglambert]

Update to the latest 8.5.79 to get the latest packages docker-library/official-images#12491
8.5.77 isn't going to get the most up to date packages, but if you want you can still manually update packages in it through apt-get

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:buster would be rebuilt when debian:buster is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/6138d05aabf61563606d86f98d0ccbd99f162b33#why-does-my-security-scanner-show-that-an-image-has-cves

Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link