Security Scan against solace/solace-pubsub-standard:latest (2 months ago) shows 6 HIGH prio vulnerab

mathaase
mathaase Member Posts: 7

Hello,

Security Scan against solace/solace-pubsub-standard:latest (ec1886a90f54  2 months ago) shows 6 HIGH prio vulnerabilities

is there anybody who knows when solace will fix it and also in enterprise versions ?

Any hint / script fix this fast from community ?

output generated with docker-desktop and extension trivy

Regards, Matthias

Answers

  • mathaase
    mathaase Member Posts: 7

    Try:


    solace-pubsub-standard $ vi Dockerfile

    FROM solace/solace-pubsub-standard

    USER root

    RUN microdnf update -y


    solace-pubsub-standard $ docker build -t solace-pubsub-standard:20220531 .

    output is:


    Transaction Summary:

    Installing:       5 packages

    Reinstalling:     0 packages

    Upgrading:      116 packages

    Obsoleting:       0 packages

    Removing:         0 packages

    Downgrading:      0 packages

  • mathaase
    mathaase Member Posts: 7

    Now it's solved fpr me according critical and high prio, but some medium and low prio warnings occur.

  • Judd_Robertson
    Judd_Robertson Member, Employee Posts: 1 Solace Employee
    edited June 2022 #4

    Hi Matthias,

    Thanks for your interest in our product. There are a few aspects to your question, and I'll try to answer them all here.

    In addition to the :latest tag, we also publish an :edge tag. A few of the vulnerabilities you mentioned have already been fixed in our :edge release. 

    Our container is based on the Red Hat Universal Basic Image(UBI), we rely on vulnerability fixes within the UBI, and some of these vulnerabilities do not have available fixes. Sometimes Red Hat chooses not to release a fix at all (the CVE-2018 vulnerabilities are examples of this).

    The remainder of the vulnerabilities you mentioned will be resolved in an upcoming release.

    Finally, I'd like to strongly caution you against updating our docker container yourself. There is a chance that problems will be introduced with updated libraries, and Solace has not certified our broker with these versions of libraries.


    Judd

  • Matthias
    Matthias Member Posts: 4

    Hello Judd,

    Thanks for your answer.

    Conclusion for me:

    If i use community edition without support i'll will be up to date (solves critical vuln. = 208 - 188 = 30 vuln. solved incl. all crit) with my mention "docker build -t solace-pubsub-standard:20220531 ." without guaranty according functionality and without support.

    Regards,

    Matthias