Security Vulnerabilities with the latest docker image

Question

Security Vulnerabilities with the latest docker image

Yogesh-BK opened this issue 2 years ago · 4 comments

Yogesh-BK commented 2 years ago

The latest docker image for pact-broker contains security vulnerabilities.

I have already (please mark the applicable with an x):

Upgraded to the latest Pact Broker OR
Checked the CHANGELOG to see if the issue I am about to raise has been fixed
Created an executable example that demonstrates the issue using either a:
- Dockerfile
- Git repository with a Travis or Appveyor (or similar) build

Software versions

pact-broker docker version: eg latest
OS: e.g. Mac OSX 13.1

Expected behaviour

Docker image with no security vulnerabilities

Actual behaviour

Docker image which contains security vulnerabilities (including high and medium)

Steps to reproduce

 1. Install a tool named [trivy](https://github.com/aquasecurity/trivy) which is used to scan docker images for security vulnerabilities.
 2. Scan the pact broker image for vulnerabilities with the below command

trivy image pactfoundation/pact-broker:latest

 3. This will give the vulnerabilities

Scan Result | Security Vulnerabilities

Answer 1 · 2023-02-09T06:21:23.000Z

Due to an issue in the build, the latest tag has not been updated correctly. Please use the actual most recent tag, which is 2.106.0.1.

Answer 2 · 2023-02-09T06:27:55.000Z

Hey bethesque,
Thanks for your reply.
With the version that you have suggested, few vulnerabilities have been resolved but it still contains the below ones

Answer 3 · 2023-02-09T06:35:13.000Z

👋 Thanks, this ticket has been added to the PactFlow team's backlog as PACT-704

Answer 4 · 2023-05-08T00:02:17.000Z

The latest image is out with updated ruby/alpine.