lf-edge
The lfedge/ekuiper:1.5.1-alpine image has a few High saverity vulnerabilities.
Hi all: I tried to use the latest image lfedge/ekuiper:1.5.1-alpine on EdgeX. But there is a few High saverity vulnerabilities when the image was scaned.
These High saverity vulnerabilities:
Library:libcrypto1.1-1.1.1n-r0.apk Vulnerability id : CVE-2022-2097 (Upgrade to version OpenSSL_1_1_1q,openssl-3.0.5)
Library:libssl1.1-1.1.1n-r0.apk Vulnerability id : CVE-2022-2097 (Upgrade to version OpenSSL_1_1_1q,openssl-3.0.5)
These Medium saverity vulnerabilities:
Libery:musl-utils-1.2.2-r7.apk Vulnerability id : CVE-2020-28928 (Upgrade to version musl - 1.2.2-1,1.2.2-1,1.1.16-3+deb9u1)
Library:musl-1.2.2-r7.apk Vulnerability id : CVE-2020-28928 (Upgrade to version musl - 1.2.2-1,1.2.2-1,1.1.16-3+deb9u1)
How to fix ?
@bighb69738 I don't think we directly use those, maybe they are imported by the dependencies. Where do you run the scan and do you have more information where do these vulnerabilities happen? Thanks
These libraries are from Alpine. And i scanded the image on Whitesource. I think maybe the Dockerfile of the lfedge/ekuiper:1.5.1-alpine image need to upgrade these apk. https://github.com/alpinelinux/docker-alpine/issues/261
Hi @bighb69738, this is the docker file for 1.5.1-alpine https://github.com/lf-edge/ekuiper/blob/master/deploy/docker/Dockerfile-alpine
you can modify the dependencies and build a new docker image by yourself with this command
docker build -t lfedge/ekuiper:1.5.1-alpine-patch -f deploy/docker/Dockerfile-alpine .
we would appreciate that if you could verify the images and make a pr for us
