Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependencies should be updated #115

Closed
jschirrmacher opened this issue Mar 20, 2023 · 9 comments · Fixed by #134
Closed

Dependencies should be updated #115

jschirrmacher opened this issue Mar 20, 2023 · 9 comments · Fixed by #134
Assignees
@randomorder @camuffo

Comments

@jschirrmacher
Copy link

jschirrmacher commented Mar 20, 2023
edited
Loading

We see a lot of CVEs in the image, which could be removed by updating to more current versions:

CVE-2021-23463	    CRITICAL	1.1.119	        2.0.202                     com.h2database:h2	
CVE-2021-42392	    CRITICAL	1.1.119	        2.0.206                     com.h2database:h2	
CVE-2022-23221	    CRITICAL	1.1.119	        2.1.210                     com.h2database:h2	
CVE-2022-22978	    CRITICAL	5.1.13.RELEASE	5.5.7, 5.6.4.               org.springframework.security:spring-security-core	
CVE-2016-1000027    CRITICAL	5.2.22.RELEASE	6.0.0                       org.springframework:spring-web	
CVE-2022-45868	    HIGH    	1.1.119	                                    com.h2database:h2	
CVE-2023-24998	    HIGH    	1.4.            1.5                         commons-fileupload:commons-fileupload	
CVE-2022-45143	    HIGH    	9.0.65	        8.5.84, 9.0.69, 10.1.2      org.apache.tomcat:tomcat-catalina	
CVE-2022-42252	    HIGH    	9.0.65	        8.5.83, 9.0.68,
                                                10.0.27, 10.1.1             org.apache.tomcat:tomcat-coyote	
CVE-2021-22112	    HIGH    	5.1.13.RELEASE	5.2.9.RELEASE,
                                                5.3.8.RELEASE, 5.4.4        org.springframework.security:spring-security-core	
CVE-2021-22112	    HIGH    	5.1.13.RELEASE	5.2.9, 5.2.9, 5.4.4, 5.4.4  org.springframework.security:spring-security-web	
CVE-2022-34169	    HIGH    	2.7.2	                                    xalan:xalan	
CVE-2022-22976	    MEDIUM	5.1.13.RELEASE	5.5.7, 5.6.4                org.springframework.security:spring-security-core	
GHSA-h376-j262-vhq6 UNKNOWN     1.1.119	        2.0.206                     com.h2database:h2
@hbruch
Copy link

hbruch commented Nov 23, 2023

@jschirrmacher Which image version are you referring to? Is this still an issue with the most recent versions, 2.22.4?

@randomorder: could you publish the most recent geoserver versions 2.23.3 and 2.24.0 via docker hub?

@randomorder
Copy link
Member

@hbruch
latest tags for all branches are now available on the Hub.

@jschirrmacher
as suggested by @hbruch can you check more recent versions and let me know how you scanned the images?

@randomorder randomorder self-assigned this Nov 24, 2023
@jschirrmacher
Copy link
Author

I can't remember which version I used in march, I'm sorry.

When I run trivy image --offline-scan geosolutionsit/geoserver:latest, I still get a lot of CVEs:

geosolutionsit/geoserver:latest (debian 11.4)
=============================================
Total: 1195 (UNKNOWN: 6, LOW: 791, MEDIUM: 138, HIGH: 232, CRITICAL: 28)
Java (jar)
==========
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 1)

@randomorder
Copy link
Member

Thanks @jschirrmacher I'll have a look.
It's important to distinguish what are the component affected for each one of them. For instance:

  • Java code releated CVEs concerning geoserver itself -> these should be adresses by the geoserver commproject/community
  • CEVs related to the base image of geoserver (as of today, tomcat these should be adressed by the Apache Tomcat project. As soon as a new image comes out we can rebuild the docker images and get the patches from Tomcat
  • CVEs related to the software installed by the Dockerfile itself. Here we can evaluate and path/update the individual packages installed during the build to pattched versions of the software is possible

@Morl99
Copy link
Contributor

Morl99 commented Dec 7, 2023
edited
Loading

Hello, I am chiming, I am in the same team as @jschirrmacher.

I think I found the source of the problem, at least for the tomcat and base distro. As far as I can see in the Repo, the image is based on the offical tomcat image (which is great), and uses the tag 9-jdk11-openjdk

docker-geoserver/Dockerfile

Line 1 in 999c0ba

FROM tomcat:9-jdk11-openjdk as mother

This is no longer a supported variant of the tomcat image, and thus, this tag was updated a year ago. This project should switch to either temurin or corretto, although I imagine that the temurin image will be a lot closer to the former openjdk image.

@Morl99 Morl99 mentioned this issue Dec 7, 2023
Merged
@Morl99
Copy link
Contributor

Morl99 commented Dec 7, 2023

I have tested this approach locally and it works for our setup. I have created a simple Pull Request, it is straight forward.

@randomorder
Copy link
Member

Thank you @Morl99
Testing on the PR is ongoing. I'll merge right after

@randomorder
Copy link
Member

PR merged, thank you @Morl99

@Morl99
Copy link
Contributor

Morl99 commented Dec 13, 2023
edited
Loading

My pleasure, the PR still seems to be open though, can you double check?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@randomorder randomorder

@camuffo camuffo

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Switch to temurin as base image variant Morl99/docker-geoserver
5 participants
@Morl99 @hbruch @jschirrmacher @randomorder @camuffo