Vulnerable Image used in Dockerfile needs updating.

[Homopatrol]

Is your feature request related to a problem? Please describe.

I am currently using image 6.1.1 and in my registry it has been flagged up with being vulnerable to the following:

CVE-2021-23839
CVE-2021-23840
CVE-2021-23841
CVE-2021-22883
CVE-2021-22884

This is because 3.1 uses alpine3.12 but these vulnerabilities are fixed in the later alpine3.13 which is used by 5.0

Describe the solution you'd like

I believe this can be fixed by updating the images used in your Dockerfile to the latest version

mcr.microsoft.com/dotnet/core/runtime from 3.1-alpine to 5.0-alpine .

As 5.0 is the most current image and 3.1 is LTS (https://hub.docker.com/_/microsoft-dotnet-runtime) unless there is a reason you are choosing to use this version instead.

And alternative this can temporarily by adding:
RUN apk add --no-cache npm=12.21.0-r0 --no-cache libcrypto1.1=1.1.1j-r0 --no-cache libssl1.1=1.1.1j-r0

Additional context

Also incase you are not aware the mcr.microsoft.com/dotnet/core/runtime:3.1-alpine has had its repo name changed see - #issue-739991219

[jeremylong]

Upgrading to 5.0-alpine causes something to break with the docker build. What are you using to scan?

[Homopatrol]

okay, is this the same case with 5.0-alpine3.12 since it uses Alpine 3.12 instead of Alpine 3.13 ?

I am using your owasp/dependency-check:6.1.1 as a Base image with some changes to permissions to allow it to run in Openshift, once I pushed this to my repository on the IBM cloud it flagged up these vulnerabities.

[jeremylong]

No idea why this did not occur to me; GrokAssembly is currently compiled for 3.1 and would not run under the dotnet 5.0 runtime. In reality, alpine's release to resolve some of these CVEs occurred 7 days ago: https://alpinelinux.org/posts/Alpine-3.10.6-3.11.8-3.12.4-released.html

The patches for the CVEs will be included when Microsoft updates their base image (last updated in Feb 2021).

[jeremylong]

@mtcolman thanks for the PR!