Resolve critical and high vulnerabilities in node:lts-bookworm base image about official-images HOT 5 CLOSED

The official images use the upstream (debian in this case) packages; if there's vulnerabilities in those packages, those would have to be fixed by the debian maintainers and packagers; once updates are available in the debian package repositories, those will be included in the next build of the official images, but before that, there's not much that the maintainers of the official images can do.

I would recommend checking the status for those CVEs in debian's security tracker; here's the links to the "critical" ones from your report, but the pattern is the same for the other ones;

• https://security-tracker.debian.org/tracker/CVE-2023-5841
• https://security-tracker.debian.org/tracker/CVE-2023-45853
• https://security-tracker.debian.org/tracker/CVE-2023-6879
• https://security-tracker.debian.org/tracker/CVE-2023-0645

Note that some of those will have an issue linked in their issue tracker, which may contain more information about the current status (which may in some cases be that the debian maintainers decided to reject the CVE or decided not to patch).

from official-images.

You could switch to using the bookworm-slim variant which don't have those. You could even use multistage build to use the non slim for building and copying the result into the slim variant.

from official-images.

FWIW; looks like those vulnerabilities are not yet patched by upstream debian, so there's not packages available there yet;

• https://security-tracker.debian.org/tracker/CVE-2024-32002
• https://security-tracker.debian.org/tracker/CVE-2024-32465
• https://security-tracker.debian.org/tracker/CVE-2024-32004

(also see https://github.com/docker-library/faq?tab=readme-ov-file#why-does-my-security-scanner-show-that-an-image-has-cves)

from official-images.

Hi @LaurentGoderre , We have tried multistage build and used bookworm-slim for final result. However, we have seen vulnerabilities in JFrog XRay platform.

I am attaching those vulnerabilities here and targeting to resolve critical and high vulnerabilities.

Could you please help on this to proceed further?

[email protected]_2024-06-07.zip

from official-images.

See also the "Notes" field at the bottom of each of those links, which contains comments from the Debian Security Team (usually about why it's not fixed / not believed to be an issue worth fixing urgently).

[bookworm] - openexr <no-dsa> (Minor issue)
[bullseye] - openexr <not-affected> (Only affects 3.x)
[buster] - openexr <not-affected> (Only affects 3.x)

("no-dsa" is effectively "wontfix" but leaving the door open for another debian maintainer to fix it if they believe they can do so within the constraints of debian stable)

Again, please read https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves

from official-images.