How to fix vulnerabilities report by AWS ECR scan
HareshChhelanaEncora opened this issue · 1 comments
Hi,
We have used tomcat:8.5.77-jre11-openjdk docker image to run java application in AWS EKS. We notice AWS ECR scan reporting following vulnerabilities, can you please help or guide us to resolve following vulnerabilities at-least 1 CRITICAL and 3 HIGH?
https://security-tracker.debian.org/tracker/CVE-2022-27404
https://security-tracker.debian.org/tracker/CVE-2019-8457
https://security-tracker.debian.org/tracker/CVE-2022-1292
https://security-tracker.debian.org/tracker/CVE-2022-29155
Update to the latest 8.5.79
to get the latest packages docker-library/official-images#12491
8.5.77
isn't going to get the most up to date packages, but if you want you can still manually update packages in it through apt-get
Background:
Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image
FROM debian:buster
would be rebuilt whendebian:buster
is built).
Official Images FAQ:
Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame
Since our build system makes heavy use of Docker build cache, just rebuilding the all of the Dockerfiles won't cause any change. So we rely on periodic base image updates.
We strive to publish updated images at least monthly for Debian and Ubuntu. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Alpine and Oracle Linux, and are subject to their own maintenance schedule.
- from the same FAQ link