Numerous vulnerabilities reported by Trivy against gcloud container image

[prabhu]

Trivy scan is reporting 1 critical and numerous high vulnerabilities against the official gcloud image. Please see attached scan-result.json.txt

Current reported critical issue: CVE-2019-3462

Please note: GCRs own scan is categorizing numerous CVE into MEDIUM and LOW instead of HIGH. It seems to be using Ubuntu's PRIORITY as SEVERITY which maybe incorrect?

Ubuntu's definition of priority

The priorities assigned to vulnerabilities in Ubuntu are for prioritizing the work of when CVEs will be fixed as opposed to just an assessment of severity, importance or risk. The priority is based on many factors including severity, importance, risk, install base, software configuration, active exploitation and other factors which may adjust the impact of certain vulnerabilities such as Ubuntu's proactive security features. Importantly, these priority levels are distinct from other published severity levels such as CVSS as used in the National Vulnerability Database). 

Affected builder image

Community images that is based on gcr.io/cloud-builders/gcloud

gcr.io/cloud-builders-community/bq

Expected Behavior

Latest community images should be at least free of critical issues?

Actual Behavior

Numerous critical and high vulnerabilities are reported by trivy

Steps to Reproduce the Problem

trivy gcr.io/cloud-builders/gcloud

Additional Info