Hi Support, I'm developing a solution using Apache Drill on a MongoDB cluster server, and it works well.
But, when I tried to approve the package at my company, it did not pass IT security scans. I performed a security scan using Sonatype Nexus IQ scanner, done on a Linux box, on two docker images: - apache-drill:master - apache-drill:1.20.2 Both docker images did not pass the security scan. I've tried to attach both reports, but they pass the limit of allowed size by your email server. Here are the steps to reproduce the reports: 1. Pull the docker images # docker pull apache/drill:master # docker pull apache/drill:1.20.2 2. Save docker images to a local file # docker save -o apache-drill-master.tar <image-id> # docker save -o apache-drill-1.20.2.tar <image-id> 2. Install Sonatype Nexus IQ scanner 3. Run Sonatype Nexus IQ scanner 4. Load each docker image file and start the scan At the end of the scan a report is sent to you by email. I've attached two screenshots of the first report page of each report. [image: image.png] [image: image.png] Can you check these vulnerabilities, especially the high and medium security levels, and write about them? Regards, Dan Mayer
