[I] devlake.docker.scarf.sh/apache/devlake-config Critical and High Vulnerabilities [incubator-devlake]

Thu, 11 Jan 2024 05:43:05 -0800 


ebierhoda opened a new issue, #6792:
URL: https://github.com/apache/incubator-devlake/issues/6792

   ### Search before asking
   
   - [X] I had searched in the 
[issues](https://github.com/apache/incubator-devlake/issues?q=is%3Aissue) and 
found no similar issues.
   
   
   ### What happened
   
   Good Day,
   
   Originally, I deployed Apache Dev Lake v0.18.0 and pulled in some data from 
two sources currently in use in my company (Bitbucket and Azure DevOps). I was 
quite pleased with the results and how quick it was to get meaningful insights 
into our data. Well done to the team for creating this great product.
   Prior to presenting the POC to some of the members of my leadership team, I 
thought I would preempt some of the questions they would pose about security, 
and I proceeded to do a container scan using Docker Scout. 
   
   For the devlake-config-ui container, the scan picked up 12 critical and 39 
high vulnerabilities. 
   
![Vulnerabilities-Config-UI](https://github.com/apache/incubator-devlake/assets/49390786/85ed86eb-da78-44fe-a88d-26fde662d143)
   
   I also tried v0.20.0-beta5 and got the same vulnerabilities.
   Under recommended fixes, in other versions of the base image, the 
vulnerabilities are addressed.
   
   
![image](https://github.com/apache/incubator-devlake/assets/49390786/eeac4248-b462-439e-9e78-9c6bf441385f)
   
   I noticed that the dockerfile for the config-ui uses 
nginxinc/nginx-unprivileged:1.21 and mention is made of a possible upgrade to a 
later version. This is mentioned in 
https://github.com/apache/incubator-devlake/issues/4250 but the issue seems to 
have been closed due to inactivity.
   
   Would it be possible to upgrade to a later version of the image to address 
the critical and high vulnerabilities?
   
   Thank You
   Regards
   
   
   
   
   
   ### What do you expect to happen
   
   The base images will be updated to the most recent stable versions according 
to recommendations that address the vulnerabilities.
   
   ### How to reproduce
   
   Run docker compose to start up the containers and do a docker scan on the 
devlake-config-ui image. 
   I got roughly the same results using v0.18.0 and v0.20.0-beta5
   
   ### Anything else
   
   _No response_
   
   ### Version
   
   v0.18.0 or v0.20.0-beta5
   
   ### Are you willing to submit PR?
   
   - [ ] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [X] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@devlake.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to