Security vulnerability fixes and multi arch support #763
Conversation
Dockerfile
Outdated
| @@ -48,6 +48,7 @@ RUN apt-get update && \ | |||
| tesseract-ocr-sqi \ | |||
| && apt-get clean && \ | |||
| rm -rf /var/lib/apt/lists/* | |||
| RUN apt-get update && apt-get upgrade libgnutls30 -y -q | |||
There was a problem hiding this comment.
Could you merge this with the previous command?
Also, what is this package for?
There was a problem hiding this comment.
hi @jendib libgnutls30 is a package in the GnuTLS library suite, specifically version 3. GnuTLS is a secure communications library implementing the SSL, TLS, and DTLS protocols. The primary purpose of libgnutls30 is to provide support for cryptographic algorithms and protocols necessary to secure network communications.
I think this package is used by the OS internally in the version used as it popped in the security vulnerability.
There was a problem hiding this comment.
also merged the command to above line
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>org.slf4j</groupId> | ||
| <artifactId>slf4j-log4j12</artifactId> | ||
| <artifactId>slf4j-reload4j</artifactId> |
There was a problem hiding this comment.
From what I understand "reload4j" il a fork of log4j 1.2, but then you upgraded to log4j 2 as well so I'm confused.
There was a problem hiding this comment.
hi @jendib I have not touched the slf4j part as my intention was to simply remove the vulnerabilities first. I understand we had this conversation that you have a branch where you are changing this logging libraries. So here I just upgraded to a version of slf4j that does not have vulnerabilities yet.
| @@ -270,6 +273,12 @@ | |||
| <groupId>org.glassfish.jersey.media</groupId> | |||
| <artifactId>jersey-media-json-processing</artifactId> | |||
| <version>${org.glassfish.jersey.version}</version> | |||
| <exclusions> | |||
There was a problem hiding this comment.
I'm not a fan of doing this. What is the parsson version coming with jersey 3.1.5 and what is the added value of overriding it?
There was a problem hiding this comment.
hi @jendib the parsson library is a transitive dependency inside the jersey. The parsson library had a vulnerability which only gets solved by upgrading it. So i excluded the transitive dependency and added the upgraded dependency.
| @@ -403,6 +418,12 @@ | |||
| <groupId>fr.opensagres.xdocreport</groupId> | |||
| <artifactId>fr.opensagres.odfdom.converter.pdf</artifactId> | |||
| <version>${fr.opensagres.xdocreport.version}</version> | |||
| <exclusions> | |||
There was a problem hiding this comment.
Same question as parsson for xerces.
There was a problem hiding this comment.
hi @jendib same answer like parsson
| <artifactId>xercesImpl</artifactId> | ||
| <version>${xerces.xercesImpl.version}</version> | ||
| </dependency> | ||
|
|
||
| <dependency> | ||
| <groupId>org.subethamail</groupId> |
There was a problem hiding this comment.
According to https://github.com/voodoodyne/subethasmtp/tree/master this lib is unmaintained. Maybe it's a good time to drop it and use another one.
There was a problem hiding this comment.
hi @jendib maybe I can look into it in a separate PR? In this PR i have not touched this library. If you can guide me to the unit tests and functionality that uses this dependency I can work on a different library and see if the test pass and the functionality is preserved after the change.
Hi @jendib this PR consists vulnerability fixes and multi arch support