Security Scan against solace/solace-pubsub-standard:latest (2 months ago) shows 6 HIGH prio vulnerab
Security Scan against solace/solace-pubsub-standard:latest (ec1886a90f54 2 months ago) shows 6 HIGH prio vulnerabilities
is there anybody who knows when solace will fix it and also in enterprise versions ?
Any hint / script fix this fast from community ?
output generated with docker-desktop and extension trivy
solace-pubsub-standard $ vi Dockerfile
RUN microdnf update -y
solace-pubsub-standard $ docker build -t solace-pubsub-standard:20220531 .
Installing: 5 packages
Reinstalling: 0 packages
Upgrading: 116 packages
Obsoleting: 0 packages
Removing: 0 packages
Downgrading: 0 packages0
Judd_Robertson Member, Employee Posts: 1 Solace Employeeedited June 2022 #4
Thanks for your interest in our product. There are a few aspects to your question, and I'll try to answer them all here.
In addition to the :latest tag, we also publish an :edge tag. A few of the vulnerabilities you mentioned have already been fixed in our :edge release.
Our container is based on the Red Hat Universal Basic Image(UBI), we rely on vulnerability fixes within the UBI, and some of these vulnerabilities do not have available fixes. Sometimes Red Hat chooses not to release a fix at all (the CVE-2018 vulnerabilities are examples of this).
The remainder of the vulnerabilities you mentioned will be resolved in an upcoming release.
Finally, I'd like to strongly caution you against updating our docker container yourself. There is a chance that problems will be introduced with updated libraries, and Solace has not certified our broker with these versions of libraries.
Thanks for your answer.
Conclusion for me:
If i use community edition without support i'll will be up to date (solves critical vuln. = 208 - 188 = 30 vuln. solved incl. all crit) with my mention "docker build -t solace-pubsub-standard:20220531 ." without guaranty according functionality and without support.