Skip to content
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.

Change Base Image (?) #69

Open
t-book opened this issue Dec 29, 2020 · 5 comments
Open

Change Base Image (?) #69

t-book opened this issue Dec 29, 2020 · 5 comments
Labels

Comments

@t-book
Copy link
Contributor

t-book commented Dec 29, 2020

For security reasons it would be advisable to switch to one of these base images:

Base Image                             Vulnerabilities  Severity
tomcat:10.0.0-M7-jdk14-openjdk-oracle  0                0 high, 0 medium, 0 low
tomcat:9.0.37-jdk14-openjdk-oracle     0                0 high, 0 medium, 0 low
tomcat:10.0.0-M5-jdk14-openjdk-oracle  0                0 high, 0 medium, 0 low
tomcat:9.0.31-jdk13-openjdk-oracle     0                0 high, 0 medium, 0 low

As from what I see these are all on centos we should check for a newer buster image.

@frafra
Copy link

frafra commented Dec 30, 2020

I agree with updating the images; we could enable depend-a-bot (now integrated in GitHub) to check for security upgrades for the Dockerfiles.
I have some doubts in moving from the tomcat image to something custom based on Debian if that is because of CentOS Stream, but it could worth the effort if that could help to streamline the non-Docker setup with the Dockerfiles.

@t-book
Copy link
Contributor Author

t-book commented Dec 30, 2020

I agree with updating the images; we could enable depend-a-bot (now integrated in GitHub) to check for security upgrades for the Dockerfiles.

my +1 and maybe on merging a build push to docker hub as well.

I have some doubts in moving from the tomcat image to something custom based on Debian if that is because of CentOS Stream, but it could worth the effort if that could help to streamline the non-Docker setup with the Dockerfiles.

I think this is a misunderstanding. From a quick look, I've guessed the current image is Debian based were mentioned above are centos. To not produce too much work with reworking the dockerfile my idea was to stick with a Debian based.

@frafra
Copy link

frafra commented Jan 3, 2021

I think this is a misunderstanding. From a quick look, I've guessed the current image is Debian based were mentioned above are centos. To not produce too much work with reworking the dockerfile my idea was to stick with a Debian based.

You are right. It would be perfect then :)

@t-book
Copy link
Contributor Author

t-book commented Jan 8, 2021

@frafra do you have experience with what is needed to let depandabot scan Dockerfiles?

@frafra
Copy link

frafra commented Jan 8, 2021

@t-book dependabot needs to know the location of the Dockerfile and it assumes it is on the main directory by default: https://dependabot.com/docs/config-file/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

2 participants