[Security]: Trivy reports several low-level CVE's from the base linux images

[talios]

Please add the exact image (with tag) that you are using

eclipse-temurin:8u345-b01-jre

Please add the version of Docker you are running

Docker Desktop 4.12.0 (85629)

What happened?

I'm using the Trivy vulnerability scanner extension to check my images and I notice it reports several low-prio CVEs for things such as curl, login, tar, ncurses, passwd.

curl is reported as coming from 7.81.0-1ubuntu1.3 and fixed in 7.81.0-1ubuntu1.4, whilst the others don't list any fixes available.

I understand curl is being removed in an upcoming release, but I'm curious as to the others, and if they're documented anywhere?

Relevant log output

No response

[jerboaa]

This is related to #267. Since those Low CVEs are in the base image we consume there will be some framework we'll adhere to in terms of container health. As to what it will be remains to be seen.

[kiranpatel11]

now it also has critical vulnerabilities for CVE-2022-40674.

[cyberveseli]

Vote up to fix CVE-2022-40674

[karianna]

These are being respun by DockerHub folks at DockerHub.

[S0obi]

Upvote for this issue: Temurin images based on Ubuntu Jammy are now also vulnerable to Openssl 3.0 high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786 💣 (USN-5710-1)

[S0obi]

To follow up, I just noticed that latest images (8, 11 and 17) have been rebuilt yesterday and are no more vulnerable to vulnerabilities mentioned here (including Openssl ones). I think we can close this issue 🎉 .