-
-
Notifications
You must be signed in to change notification settings - Fork 480
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability fixes and multi arch support #763
base: master
Are you sure you want to change the base?
Conversation
Dockerfile
Outdated
@@ -48,6 +48,7 @@ RUN apt-get update && \ | |||
tesseract-ocr-sqi \ | |||
&& apt-get clean && \ | |||
rm -rf /var/lib/apt/lists/* | |||
RUN apt-get update && apt-get upgrade libgnutls30 -y -q |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you merge this with the previous command?
Also, what is this package for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @jendib libgnutls30 is a package in the GnuTLS library suite, specifically version 3. GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. The primary purpose of libgnutls30 is to provide support for cryptographic algorithms and protocols necessary to secure network communications.
I think this package is used by the OS internally in the version used as it popped in the security vulnerability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
also merged the command to above line
</dependency> | ||
|
||
<dependency> | ||
<groupId>org.slf4j</groupId> | ||
<artifactId>slf4j-log4j12</artifactId> | ||
<artifactId>slf4j-reload4j</artifactId> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From what I understand "reload4j" il a fork of log4j 1.2, but then you upgraded to log4j 2 as well so I'm confused.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @jendib I have not touched the slf4j part as my intention was to simply remove the vulnerabilities first. I understand we had this conversation that you have a branch where you are changing this logging libraries. So here I just upgraded to a version of slf4j that does not have vulnerabilities yet.
@@ -270,6 +273,12 @@ | |||
<groupId>org.glassfish.jersey.media</groupId> | |||
<artifactId>jersey-media-json-processing</artifactId> | |||
<version>${org.glassfish.jersey.version}</version> | |||
<exclusions> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a fan of doing this. What is the parsson version coming with jersey 3.1.5 and what is the added value of overriding it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @jendib the parsson library is a transitive dependency inside the jersey. The parsson library had a vulnerability which only gets solved by upgrading it. So i excluded the transitive dependency and added the upgraded dependency.
@@ -403,6 +418,12 @@ | |||
<groupId>fr.opensagres.xdocreport</groupId> | |||
<artifactId>fr.opensagres.odfdom.converter.pdf</artifactId> | |||
<version>${fr.opensagres.xdocreport.version}</version> | |||
<exclusions> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question as parsson for xerces.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @jendib same answer like parsson
<artifactId>xercesImpl</artifactId> | ||
<version>${xerces.xercesImpl.version}</version> | ||
</dependency> | ||
|
||
<dependency> | ||
<groupId>org.subethamail</groupId> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According to https://github.com/voodoodyne/subethasmtp/tree/master this lib is unmaintained. Maybe it's a good time to drop it and use another one.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @jendib maybe I can look into it in a separate PR? In this PR i have not touched this library. If you can guide me to the unit tests and functionality that uses this dependency I can work on a different library and see if the test pass and the functionality is preserved after the change.
Hi @jendib this PR consists vulnerability fixes and multi arch support