How to handle Critical Security Issues of Base Images

[logidru]

Question

We use tomcat base on corretto to build the backend, we build our image nightly with the latest tags.

e.g tomcat:10.0.17-jdk17-corretto.

Last week i noticed that the trivy scanner of our harbor registry displayed those critical issues (expat), and it was also displayed that the problem was already fixed on a newer version of the base image. So the only thing that had to be done would have been to rebuild the tomcat:10.0.17-jdk17-corretto in order to get the base image updated, but that did not happen (yesterday the image as 11 days old).

Today tomcat:10.0.18-jdk17-corretto was published and i guess the problem will be fixed now, but we had to roll out our new version of the software to our clients yesterday (so with the critical bugs).

Is there any recommendation how to handle such issues. Is there a way to somehow request for a rebuild of the current tomcat image if the base image has critical issues that were already fixed in a newer version?

Additional Note:

i just rebuilt the images with tomcat:10.0.18-jdk17-corretto and the expat bug is still in there....

Note 2: i just noticed that the base image amazonlinux:2 is the problem :-(

Thx for help
Daniel

[wglambert]

Same comment as docker-library/python#699 (comment). once the base image does an update the images get rebuilt

See also https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[yosifkit]

I am unsure when amazonlinux will give us updated images that will then cause rebuilds of dependent images.

If you "need" updates earlier, you can always apt-get update && apt-get upgrade -yyum upgrade -y in your image

[tianon]

docker-library/official-images#12056 👍

[tianon]

Doh, nevermind, that's just 2022 😞

[tianon]

Sorry, triple-post time -- this really isn't the right place for this. This should happen further down the stack (with an amazonlinux update).

This is the repository for the documentation (and doesn't contain or influence any of the building code).