Search before asking
What happened
Good Day,
Originally, I deployed Apache Dev Lake v0.18.0 and pulled in some data from two sources currently in use in my company (Bitbucket and Azure DevOps). I was quite pleased with the results and how quick it was to get meaningful insights into our data. Well done to the team for creating this great product.
Prior to presenting the POC to some of the members of my leadership team, I thought I would preempt some of the questions they would pose about security, and I proceeded to do a container scan using Docker Scout.
For the devlake-config-ui container, the scan picked up 12 critical and 39 high vulnerabilities.
I also tried v0.20.0-beta5 and got the same vulnerabilities.
Under recommended fixes, in other versions of the base image, the vulnerabilities are addressed.
I noticed that the dockerfile for the config-ui uses nginxinc/nginx-unprivileged:1.21 and mention is made of a possible upgrade to a later version. This is mentioned in #4250 but the issue seems to have been closed due to inactivity.
Would it be possible to upgrade to a later version of the image to address the critical and high vulnerabilities?
Thank You
Regards
What do you expect to happen
The base images will be updated to the most recent stable versions according to recommendations that address the vulnerabilities.
How to reproduce
Run docker compose to start up the containers and do a docker scan on the devlake-config-ui image.
I got roughly the same results using v0.18.0 and v0.20.0-beta5
Anything else
No response
Version
v0.18.0 or v0.20.0-beta5
Are you willing to submit PR?
Code of Conduct
Search before asking
What happened
Good Day,
Originally, I deployed Apache Dev Lake v0.18.0 and pulled in some data from two sources currently in use in my company (Bitbucket and Azure DevOps). I was quite pleased with the results and how quick it was to get meaningful insights into our data. Well done to the team for creating this great product.
Prior to presenting the POC to some of the members of my leadership team, I thought I would preempt some of the questions they would pose about security, and I proceeded to do a container scan using Docker Scout.
For the devlake-config-ui container, the scan picked up 12 critical and 39 high vulnerabilities.
I also tried v0.20.0-beta5 and got the same vulnerabilities.
Under recommended fixes, in other versions of the base image, the vulnerabilities are addressed.
I noticed that the dockerfile for the config-ui uses nginxinc/nginx-unprivileged:1.21 and mention is made of a possible upgrade to a later version. This is mentioned in #4250 but the issue seems to have been closed due to inactivity.
Would it be possible to upgrade to a later version of the image to address the critical and high vulnerabilities?
Thank You
Regards
What do you expect to happen
The base images will be updated to the most recent stable versions according to recommendations that address the vulnerabilities.
How to reproduce
Run docker compose to start up the containers and do a docker scan on the devlake-config-ui image.
I got roughly the same results using v0.18.0 and v0.20.0-beta5
Anything else
No response
Version
v0.18.0 or v0.20.0-beta5
Are you willing to submit PR?
Code of Conduct