Hi,
we have built a docker image based on the 10.1 war (and 10.2 war). In Harbor, part of the OpenShift K8s platform that we use, the image is scanned for vulnerabilities. There are quite a few Criticals and Highs!
Here’s a list of the most pressing CVEs:
CVE package version Fixed in version ================================================================== CVE-2013-7285 com.thoughtworks.xstream:xstream 1.4.2 1.4.7 CVE-2021-21342 com.thoughtworks.xstream:xstream 1.4.2 1.4.16 and 5 more Criticals and a lot more Highs in XStream.
There’s also a High in JDOM: CVE-2021-33813 org.jdom:jdom 1.1
The Aqua-Trivy plugin for the Docker Desktop-app reports the same CVEs.
Especially the Criticals that are (presumably) easy to fix by upgrading the XStream package are in the way of deployment.
Our image is based on tomcat:9-jre17-temurin, when I leave out the BaseX stuff it has just two Low CVEs.
Btw, an up to date docker image on Docker Hub would be much appreciated. If it’s also available for the linux/arm64/v8 architecture that would be perfect!
Kind regards,
Huib.