Hi,
we have built a docker image based on the 10.1 war (and 10.2 war). In Harbor, part of the OpenShift K8s platform that we use, the image is scanned for vulnerabilities. There are quite a few Criticals and Highs!
Here’s a list of the most pressing CVEs:
CVE package version Fixed in version ================================================================== CVE-2013-7285 com.thoughtworks.xstream:xstream 1.4.2 1.4.7 CVE-2021-21342 com.thoughtworks.xstream:xstream 1.4.2 1.4.16 and 5 more Criticals and a lot more Highs in XStream.
There’s also a High in JDOM: CVE-2021-33813 org.jdom:jdom 1.1
The Aqua-Trivy plugin for the Docker Desktop-app reports the same CVEs.
Especially the Criticals that are (presumably) easy to fix by upgrading the XStream package are in the way of deployment.
Our image is based on tomcat:9-jre17-temurin, when I leave out the BaseX stuff it has just two Low CVEs.
Btw, an up to date docker image on Docker Hub would be much appreciated. If it’s also available for the linux/arm64/v8 architecture that would be perfect!
Kind regards,
Huib.
Hi Huib,
We decided to discontinue the support for an official Docker image as there are too many ways to build Docker files that resulted in confusion on the mailing list.
The latest developments have been documented on GitHub [1]. We are still looking for someone who’d be interested in maintaining a version that, though…
Thanks for your observations on current vulnerabilities. Unfortunately, the dependencies are due to libraries that are not in our hands: xstream is required by XQJ, jdom is required by WebDAV (you can e.g. call mvn dependency:tree to get more insight). If the extensions are not required in a project, you can simply drop them, or ignore them (if the libraries are not used, they won’t cause problems).
Best, Christian
basex-talk@mailman.uni-konstanz.de
-
Christian Grün -
Huib Verweij