Hi Jerin, For the first point, the Drill team really focuses our efforts on the actual Drill source code and not the Docker images. My suggestion would be to use the vulnerability scanner to scan Drill’s source code and see what it finds. You can always run Drill on other Docker images. Best, — CD=
> On Jan 30, 2025, at 13:48, Jerin Sharif <jsha...@gblsys.com> wrote: > > Hello again - I have been diving a little further into the vulnerabilities > and found that half are from an older version of Debian (11.3) for the Docker > Image being scanned (I am getting from > https://hub.docker.com/layers/apache/drill/master-openjdk-17/images/sha256-f31488970745ebc692958ab0b684b8a753fa06dd634fccacc3b229b280002079 > which says The Apache Software Foundation released) and the other half is > from some JAR tools which have available remediations. Is this typical of > releases? Is there a prescribed method for end users to keep the containers > up to date? Packaging an end of life OS (Hadoops image has CentOS 7 which is > EOL) as an image seems odd so I am wondering if I am missing a step for > installing / updating the given image? > > -----Original Message----- > From: Jerin Sharif > Sent: Wednesday, January 29, 2025 9:43 AM > To: cgi...@gmail.com; user@drill.apache.org > Cc: James Brodeur <jbrod...@gblsys.com> > Subject: RE: Trivy Remediations for Drill > > So for Drill I've attached a list of high and critical vulnerability statuses > given by a combination of vulnerability databases (https://avd.aquasec.com/) > which the scan tool Trivy identifies for us. We work with a lot of projects > that must comply with a zero-tolerance high and below vulnerability readings > for security purposes, with justifications for high statuses. It would be > great to see that implemented with your tool since we have already seen quite > a few of our projects pick it up. Thank you for your quick response - if > there is any sort of time frame or notification list I could be on I would > appreciate that a ton. We are also looking to communicate this with the > Apache Hadoop team but I can't seem to find a contact / timeline for that, > would you know of a way to contact them? I know Apache itself has a contact > email but they insist each project has a website and to look there first, but > I couldn't find contact / timeline on Hadoop's website. Thanks again! > > -----Original Message----- > From: James Brodeur <jbrod...@gblsys.com> > Sent: Wednesday, January 29, 2025 8:49 AM > To: Jerin Sharif <jsha...@gblsys.com> > Subject: FW: Trivy Remediations for Drill > > > > -----Original Message----- > From: Charles Givre <cgi...@gmail.com> > Sent: Tuesday, January 28, 2025 7:28 PM > To: user@drill.apache.org > Cc: James Brodeur <jbrod...@gblsys.com> > Subject: Re: Trivy Remediations for Drill > > Caution: This is an external email. Please verify the sender before > replying, clicking any links, or opening any attachments. > > NOTICE: If you received this communication in error, please do not examine, > review, print, copy, forward, disseminate, or otherwise use the information. > Please immediately notify the sender and delete the copy received. The > information contained in this communication is intended for the sole use of > the named addressees/recipients to whom it is addressed.
signature.asc
Description: Message signed with OpenPGP
