Closed
Description
Checking the Dockerfile seems that base image openjdk:11.0.7-jre-slim-buster is bringing some vulnerabilities flagged by some image scanning tools like snyk or harbor.
To get list of vulnerabilities you can run following command:
docker scan -f docker/openjdk-11/Dockerfile hyperledger/besu:develop-openjdk-11 --severity high
Producing following output:
Tested 91 dependencies for known issues, found 10 issues.
Base Image Vulnerabilities Severity
openjdk:11-jre-slim-buster 62 2 critical, 8 high, 6 medium, 46 low
In addition some alternative base images are recommended:
Recommendations for base image upgrade:
Alternative image types
Base Image Vulnerabilities Severity
openjdk:17-ea-22-jdk-oracle 0 0 critical, 0 high, 0 medium, 0 low
openjdk:16-ea-33 0 0 critical, 0 high, 0 medium, 0 low
openjdk:17-ea-10-jdk-oracle 0 0 critical, 0 high, 0 medium, 0 low
openjdk:17-ea-26-jdk-oraclelinux8 0 0 critical, 0 high, 0 medium, 0 low
It is not critical but some private docker registry won't allow to pull such images with high severity vulnerabilities.