Vulnerability Issues for image openjdk:8-jdk-slim-buster

[karthiksonti24]

Hi Team,
I'm facing this issue while doing vulnerability checks for this image openjdk:8-jdk-slim-buster. Can someone suggest me a fix for this issue?
Attached in file.
logs.txt

[wglambert]

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/postgres#286 (comment) #161, #112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, #185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

[karthiksonti24]

@wglambert Thanks for the information about this. Can you resolve them and give us the latest images?

[wglambert]

https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-345386
Systemd isn't in the container

https://snyk.io/vuln/SNYK-DEBIAN10-SYSTEMD-345391
Same as above

https://snyk.io/vuln/SNYK-DEBIAN10-LIBIDN2-474100
https://security-tracker.debian.org/tracker/CVE-2019-12290
Buster is still vulnerable so there's nothing actionable for us to do, it's also considered a minor issue

https://snyk.io/vuln/SNYK-DEBIAN10-GNUTLS28-609778
https://security-tracker.debian.org/tracker/CVE-2020-24659
Same as above

https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559488
https://security-tracker.debian.org/tracker/CVE-2020-1751
Same as above
It's also unique to the PowerPC architecture which we don't have a variant for

https://snyk.io/vuln/SNYK-DEBIAN10-GLIBC-559493
https://security-tracker.debian.org/tracker/CVE-2020-1752

Directory paths containing an initial tilde followed by a valid username were affected by this issue

Buster is still vulnerable so there's nothing actionable for us to do, it's also considered a minor issue

https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558
https://security-tracker.debian.org/tracker/CVE-2018-12886
Buster is still vulnerable so there's nothing actionable for us to do
It's listed as "Too intrusive to backport"

https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-469413
https://security-tracker.debian.org/tracker/CVE-2019-15847
Buster is still vulnerable so there's nothing actionable for us to do, it's also considered a minor issue that affects only POWER9 binaries

All packages in the container are at their latest version

$ docker run -it --rm openjdk:8-jdk-slim-buster bash
root@2cda9447dcdf:/# apt update
Get:1 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:2 http://security.debian.org/debian-security buster/updates/main amd64 Packages [268 kB]
Get:3 http://deb.debian.org/debian buster InRelease [121 kB]
Get:4 http://deb.debian.org/debian buster-updates InRelease [51.9 kB]
Get:5 http://deb.debian.org/debian buster/main amd64 Packages [7907 kB]
Get:6 http://deb.debian.org/debian buster-updates/main amd64 Packages [7860 B]
Fetched 8422 kB in 2s (4393 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.

root@2cda9447dcdf:/# apt list --upgradeable
Listing... Done