I'm not sure if it helps, but on develop we've switched to the liberica openjdk 11 docker image as the base image. So some of these may go away if they are JDK 8 specific vulnerabilities.
The state we are in right now is that when we do a release we're building our Docker image on the latest liberica base image. Once we release our image, we don't release another image until the next geode release. I see some are JDK vulnerabilities, so the base distribution won't help those. But maybe using a more minimal base distro like alpine might help the others. ________________________________ From: aashish choudhary <aashish.choudha...@gmail.com> Sent: Monday, January 11, 2021 11:05 PM To: user@geode.apache.org <user@geode.apache.org> Subject: apache geode docker image vulnerabilities Hi, I just ran the docker scan powered by Synk for Apache Geode and it shows 13 High severity vulnerability. Attached scan report. Maybe an upgrade to alpine or some libraries is required to reduce security scan noise?. Any plans for remediating these reported vulnerabilities. With Best Regards, Ashish
