197 vulnerabilities detected in 3.1.2

[obue]

Dear devs,

can you please consider using a dependency bot like renovate to update the dependencies?

Due to a corporate rule, I mirror the docker image on our internal registry. We are using Quay and it has an inbuilt security scanner. Unfortunately, there is no reporting feature, so I am pasting it here directly in. Please note that the report is based on the image tag v3.1.2. Quay fixes most of the dependencies automatically by introducing new docker layers with updated package versions, but I guess it will help everyone if you do the fixes directly in the image.

Summary

Quay Security Scanner has detected 197 vulnerabilities.
Patches are available for 193 vulnerabilities.
24 Critical-level vulnerabilities.
88 High-level vulnerabilities.
55 Medium-level vulnerabilities.
25 Low-level vulnerabilities.
5 Unknown-level vulnerabilities.

Attachment with details

Sec_report.pdf

[obue]

@PacoVK @rdmueller Can you please comment on this issue or are there no plans to fix this?

I just scanned 3.2.2 and these are the results:

Some recommendation:

• Recreate all Docker images for the last major version on a daily or at least weekly basis to get the newest layers with patches
• Review the current base image and consider a more security-focused image layer

I mirror all public images on my private registry on a daily basis so that I can also get updates for existing images with fixed tags.

[PacoVK]

Hey @Goldich thanks for reporting! Let me try to answer some of the questions to shed a bit light in here:

are there no plans to fix this

Sure, i review the docker hub scans from time to time but the most findings that i can see are not Docker Image related, but direct peer dependencies of docToolchain. As of now docToolchain uses many other Gradle plugins that are less frequently updated. Most of the vulnerabilities i can see are related to those plugins, we rely on.

can you please consider using a dependency bot like renovate to update the dependencies?

We have dependabot, but there seems something not really working properly. I need to investigate, although i think the main issue here are the peer dependencies

Quay fixes most of the dependencies automatically by introducing new docker layers with updated package versions, but I guess it will help everyone if you do the fixes directly in the image

That's interessting, can you tell me how this reduces the overall findings? I think the new layer could only fix OS dependencies, right?