[jira] [Commented] (SOLR-17755) Official Docker Images with a horrible number of security vulnerabilities

Wed, 07 May 2025 14:54:30 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-17755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950134#comment-17950134
 ] 

Jan Høydahl commented on SOLR-17755:
------------------------------------

This has been discussed before. The critical ones are due to an older GO 
runtime version used by our "gosu" install, but there is no way to exploit 
this. It will go away in 10.x as we will be using a newer ubuntu base image.

We could have upgraded from "jammy" (ubuntu 22.04) to "noble" (ubuntu 24.04) 
right now (replace FROM line with eclipse-temurin:17-jre-noble), but we have 
intentionally avoided that in the 9.x line since it could bring breaking change 
for folks relying on that version. We could also have installed a newer gosu 
with a few more lines of Dockerfile but that would bloat the Dockerfile. So 
we're a bit stuck. We could have offered users both variants as a choice, but 
that adds complexity too.

I'm not sure what you expect from this JIRA. If you have concrete suggestions 
for how to remove some of the vulns, we're listening. You can also build your 
own image based on the Dockerfile published with Solr, but with modifications.

> Official Docker Images with a horrible number of security vulnerabilities
> -------------------------------------------------------------------------
>
>                 Key: SOLR-17755
>                 URL: https://issues.apache.org/jira/browse/SOLR-17755
>             Project: Solr
>          Issue Type: Bug
>          Components: Docker
>    Affects Versions: 9.8.1
>            Reporter: Alexander Veit
>            Priority: Major
>         Attachments: image-2025-05-07-19-43-18-313.png
>
>
> The official Solr container image adds 73 security vulnerabilities, four of 
> them with critical, and 37 of them with high severity, to the base image. 
> These vulnerabilities show up not only on DockerHub but also in corporate 
> security scans. According to Docker Scout these vulnerabilities could be 
> fixed, so they probably should be fixed.
> !image-2025-05-07-19-43-18-313.png!
> https://hub.docker.com/layers/library/solr/9.8.1/images/sha256-2b79aecf860291dc257460e934e275af9bb79fda1991a2c6072535d18a63f07a



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to