Debian base image "tomcat:9-jre11-slim" causes CVE-2019-2201 vulnerability in AWS ECR

[fuminori-ido-m]

The debian/Dockerfile builds from the base image "tomcat:9-jre11-slim", but it is warned CRITICAL level as CVE-2019-2201 vulnerability by AWS ECR scanner. Debian looks taking no action on that. I am not sure it is because there may be no actually critical impact (may be because it is an android issue?), but anyway it may be good to take any work around the critical-alert by ECR.

When I changed it to "tomcat:9-jdk11-openjdk-slim", then the 1 critical was disappeared. Do you agree to change to this image to work around ECR critical signal?