-
Notifications
You must be signed in to change notification settings - Fork 259
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Upgrade dependencies to fix severity #7509
Comments
egeria:latest is now building of our 4.0-SNAPSHOT code, and is using First, in terms of the base image content ... We use these redhat UBI images precisely to maintain as good a security posture as we can efficiently. As an open source project we err on continual updates of latest, and reuse of other team's assets (like redhat). The images tend to have fixes fairly quickly. They are the best base images we have found from a security perspective If there are better base images publicly available that are better than that is certainly something we could look at, but we won't be able to keep up maintaining our own core image We don't refer to a specific build tag and intentionally pull the latest for each and every build (including when we get to release -- which we run extra tests against) The quay.io scan is currently showing very few vulnarabilities from the scanner they host If there are extra vulnerabilities they would need to be raised against redhat for consideration (and we can work together to figure out the best way to do that) Were these results from a different scan tool? In terms of the egeria content,
It's possible there is a jar deeply embedded within a different package. I'll unpack to look. Further, this is in the graph connector which you will not need, or use. The intent is to move this connector out into a different repository Whilst it is placed in the assembly, you can remove from server/lib until we have revisited how we assemble components together
|
Spring is now updated, and the snakeyaml PR has gone in. As such I think all the issues mentioned here are actioned -- or in the case of jquery, not seen |
Please reopen if there are additional issues noted |
Security Scans from latest from main(
|
Existing/related issue?
No response
Current Behavior
Security Analysis of quay.io/odpi/egeria:latest image:
Expected Behavior
Dependencies need to be upgraded to fix severity
@planetf1
Steps To Reproduce
No response
Environment
Any Further Information?
No response
The text was updated successfully, but these errors were encountered: