-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide regular updates of Docker images (was: CVE's CBL-Mariner) #24
Comments
This is a good question. We don't currently rebuild the base images until a new OpenJDK release is available. We likely need to listen to changes in the base images and rebuild when they do. |
@milderhc can we listen in on security pointy releases of Linux distributions? Intriguing thought. |
Is this something we can expect to be solved in the near future? |
Thanks for your patience! We're discussing this internally so we can put out a public policy and will respond back here in the next week or so. |
We can certainly create a scheduled trigger in our GH/AzDO that would simply inspect the CBL-Mariner releases and take action if a release we've not seen before shows up. I'll see if I can rig something up in the next few days. |
@d3r3kk mind if we keep this issue open until this is addressed? |
We will update weekly, starting on or before the July PSU 2022. |
I believe this can be closed. Automated process checks twice per day for changes in the base image digest. Once a detected changes occurs the image build pipeline is executed, and changes pushed. |
Hi,
According to https://github.com/microsoft/CBL-Mariner/releases/tag/1.0.20220307-1.0
there are quite some CVE's fixed.
Are these incorporated into the mcr.microsoft.com/openjdk/jdk:11-mariner image as well?
The text was updated successfully, but these errors were encountered: