New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix docker vulnerabilities in tomcat layer #34
Comments
Updating Tomcat to v9.0.37 has been covered by EPBDS-10064 in 3498c3a |
Thank You for pointing on the issue. Docker images for OpenL v5.23.5 has been updated. Could you check? openltablets/ws:5.23.5 As for '-slim' version of images, that it is not compatible with libraries which are used in OpenL, because of they use components which are absent in the slim images. Anyway, I will research the way how to remove needless components from the OpenL images to reduce possible vulnerabilities in further. Regards, |
Hi @yurkom , Using trivy, Python 2.7 remains an area of concern (CVE-2020-8492). My suggestion would be to start from SLIM and then only add what you need to build the image. This with house cleaning of utilities used to build the image before publishing the layer. Keep me posted. Hugo |
@vlablack Could you test slim images for:
For -jre8 as well. |
@yurkom, openltablets/webstudio:5.23.5 and openltablets/demo:5.23.5 don't work with openjdk-slim because some required libs are missing: fontconfig isn't supported by slim openjdk: docker-library/openjdk#333 (comment) openltablets/ws:5.23.5 and openltablets/ws:5.23.5-all are working fine and I've faced with no issues |
@HugoVeillette I've upgraded tomcat version to 9.0.37-jdk11-openjdk-slim for openltablets/ws:5.23.5 and openltablets/ws:5.23.5-all images and uploaded it to docker hub. |
@vlablack thank you. |
Hi,
Using "openltablets/ws:5.23.5", the from clause (tomcat:9.0.30-jdk11) pulls a total of 15 vulnerabilities marked as high. "tomcat:9.0.30-jdk11
Using "9.0-jdk11-openjdk-slim" (equivalent to tomcat:9.0.37-jdk11-openjdk-slim) has 0 vulnerabilities.
My suggestion is to update the docker files respectively for the WS and Webstudio and change the "From" clause to "9.0-jdk11-openjdk-slim".
This would ensure that:
Additionally, running a scan in the build pipeline (such as aquasec/trivy) would provide some level of awareness.
The text was updated successfully, but these errors were encountered: