Elastic Open Crawler - Recent Container CVEs

[Skagnatti]

Hello,

I have been using the Elastic Open Crawler for some time now. In general, it has been a nice, functional replacement for the deprecated Enterprise Search Crawler.

When my Elastic Open Crawler container(s) launch, they launch with either the docker.elastic.co/integrations/crawler:latest or docker.elastic.co/integrations/crawler:0.4.2 image.

docker ps
CONTAINER ID   IMAGE                                           COMMAND       CREATED        STATUS        PORTS     NAMES
6c52ec83e23e   docker.elastic.co/integrations/crawler:latest   "/bin/bash"   20 hours ago   Up 20 hours             crawler

bash-5.3$ cat product_version
0.4.2

Within the running container the rack version appears to be different than the recently pushed CVE fixes:

bash-5.3$ egrep 'rack|java' Gemfile Gemfile.lock
Gemfile:  gem 'rack', '~> 2.2.14'

Gemfile.lock:    rack (2.2.16)
Gemfile.lock:      rack (>= 1.0.0)
Gemfile.lock:  universal-java-17
Gemfile.lock:  universal-java-21
Gemfile.lock:  universal-java-22
Gemfile.lock:  universal-java-23
Gemfile.lock:  rack (~> 2.2.14)

And I suppose for the other ruby-maven removal CVE in the Dockerfile.

[seanstory]

@Skagnatti you may want to build from source, as it looks like we haven't cut a recent release with a few of these CVE fixes. 0.4.3 should address some of the problem, and we'll see if we can make sure we just don't ship dev/test deps in the image at all.

Thanks for reporting!

[Skagnatti]

Hey, Sean. Appreciate the response.

Sure, that sounds fine. I can wait on the updated image(s).