Base image alpine:3.20.0 is vulnerable (fixed in latest packages)

Question

Base image alpine:3.20.0 is vulnerable (fixed in latest packages)

OlgasAcc opened this issue 4 months ago · comments

OlgasAcc commented 4 months ago

Hello,

Due to the fact that alpine:3.20.0 has a few known vulnerabilities - e.g. CVE-2023-42364, CVE-2023-42365 etc.

they affect our security scans when we pull Ekuiper on our platform).
Is it possible for you to use more dynamic version of alpine in your Dockerfile? "FROM alpine:3.20" instead of "FROM alpine:3.20.0". Alpine team is regularly solving a new coming vulnerabilities by adding new packages to the same major version, so it will automatically pick up all the necessary security fixes for you (and inherently - for us).
eKuiper version 1.14.1

Thanks

ngjaying · Answer 1 · Mon Aug 19 2024 10:31:09 GMT+0800 (China Standard Time)

@Rory-Z what's your opinion?

OlgasAcc · Answer 2 · Tue Aug 20 2024 00:47:16 GMT+0800 (China Standard Time)

@ngjaying and additional question: is it possible to upgrade the github.com/gorilla/schema v1.2.0 to v1.4.1 in your go.mod? This is the vulnerability CVE-2024-37298 of high severity
Thanks

OlgasAcc · Answer 3 · Thu Aug 22 2024 15:02:34 GMT+0800 (China Standard Time)

Thanks a lot @ngjaying! Closing the issue