Dockerhub reports 28 vulnerable components

[GuyPaddock]

When logged-in to Dockerhub, when I visit the tags page for Nextcloud, I see a report indicating that all of the current tags have vulnerabilities. I do not see this shown when I am viewing Nextcloud tags as an anonymous user.

Digging deeper, Dockerhub indicates "There are 28 vulnerable components":

[andoneve]

It would be great to see someone from Nextcloud respond to this, I just saw this and would like to know how you will handle these vulnerabilities.

[protree]

Yes, an explanation would be great!

[tilosp]

take a look at https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

[GuyPaddock]

Right... but what's the official stance on the specific CVEs that have been reported against this image?

[tilosp]

This is a community maintained docker image, there is no dedicated security team for this image.
We always do our best to keep all the dependencies up to date. But we have to rely on others to fix security vulnerabilities. For example for CVEs in debian package we rely on the debian security team to fix them.
For nextcloud, php, .. we rely on upstream to fix security vulnerabilities .
You can for example use the debian security-tracker to check if CVEs do really apply or if they are false positives.