Provide regular updates of Docker images (was: CVE's CBL-Mariner)

[ingmars1709]

Hi,

According to https://github.com/microsoft/CBL-Mariner/releases/tag/1.0.20220307-1.0
there are quite some CVE's fixed.

Are these incorporated into the mcr.microsoft.com/openjdk/jdk:11-mariner image as well?

[gdams]

This is a good question. We don't currently rebuild the base images until a new OpenJDK release is available. We likely need to listen to changes in the base images and rebuild when they do.

[karianna]

@milderhc can we listen in on security pointy releases of Linux distributions? Intriguing thought.

[ingmars1709]

Is this something we can expect to be solved in the near future?
We are relying heavily on this image and it generates a lot of High Findings in Azure Security portal.

[karianna]

Is this something we can expect to be solved in the near future? We are relying heavily on this image and it generates a lot of High Findings in Azure Security portal.

Thanks for your patience! We're discussing this internally so we can put out a public policy and will respond back here in the next week or so.

[d3r3kk]

We can certainly create a scheduled trigger in our GH/AzDO that would simply inspect the CBL-Mariner releases and take action if a release we've not seen before shows up. I'll see if I can rig something up in the next few days.

[brunoborges]

@d3r3kk mind if we keep this issue open until this is addressed?

[brunoborges]

We will update weekly, starting on or before the July PSU 2022.

[joe-braley]

@brunoborges @karianna

I believe this can be closed. Automated process checks twice per day for changes in the base image digest. Once a detected changes occurs the image build pipeline is executed, and changes pushed.