[QUESTION] Can you clarify if .NET base images provided by MS are patched

[blueboxes]

What is your question?

I see in the FAQ you say it patches OS level issues and not application level issues.

The .NET runtime falls in between these (or maybe it seen as one of these) so I wondered if the official Microsoft base .NET runtime issues would be patched with security fixes in the .NET runtime?

[sozercan]

I am not super familiar with .net runtime images, but i took a quick look at the .net repo

runtime itself are not packages, runtime components gets copied into a container, so it can't be patched with copa https://github.com/dotnet/dotnet-docker/tree/main/src/runtime/9.0

runtime dependencies in runtime-deps are packages (glibc, openssl-libs, etc), and those can be patched with copa. example: https://github.com/dotnet/dotnet-docker/blob/main/src/runtime-deps/9.0/azurelinux3.0/amd64/Dockerfile

[blueboxes]

That was what I had assumed, thank you for confirming.