vulnaribilities detected by aqua

[abhiramani-iptiq]

Hi
i have this on line in my dockerfile: FROM openjdk:8-alpine
and my aqua scanner detects these vulnerabilities
what changes i can make in my dockerfile to get latest or specific version to resolve at least few if not all vulnerabilities?

Name	Resource	Severity	Score	Fix Version
CVE-2019-14697	musl	high	7.5	1.1.20-r5
CVE-2018-1000654	libtasn1	high	7.1	4.14-r0
CVE-2019-12900	libbz2	high	7.5	1.0.6-r7
CVE-2019-17371	libpng	medium	4.3	None
CVE-2019-15133	giflib	medium	4.3	None
CVE-2018-14498	libjpeg-turbo	medium	4.3	1.5.3-r5
CVE-2019-2745	openjdk8	low	1.9	8.222.10-r0
CVE-2019-2762	openjdk8	medium	5	8.222.10-r0
CVE-2019-2766	openjdk8	low	2.6	8.222.10-r0
CVE-2019-2769	openjdk8	medium	5	8.222.10-r0
CVE-2019-2786	openjdk8	low	2.6	8.222.10-r0
CVE-2019-2816	openjdk8	medium	5.8	8.222.10-r0
CVE-2019-2842	openjdk8	medium	4.3	8.222.10-r0
CVE-2019-7317	openjdk8	low	2.6	8.222.10-r0

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-so-many-cves
And docker-library/postgres#286 (comment) #161, #112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, #185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[wglambert]

In your case that image variant was deprecated a year ago as the upstream OpenJDK project no longer supports Alpine #272

• Alpine
• not officially supported by the OpenJDK project Move 8 and 11 to consume from https://adoptopenjdk.net/upstream.html #322, Build Java 11 Alpine #211 (comment), Add initial all-Oracle variants (oraclelinux + jdk.java.net tarballs) #235 (comment)

So the only Alpine variant upstream (and consequently we) support is openjdk:14-alpine

We have a support matrix of the OpenJDK variants that we maintain #272