-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Significant number of critical vulnerabilities reported in dependencies #273
Comments
thanks @slagelwa - I will see if there is any reason these dependencies were pinned and what we need to do to update them. |
@slagelwa - any chance you could share the actual command line / configuration you are running with trivy? Will be helpful to check the problem is resolved. |
Sorry I must have missed the notice on this earlier on this. We're running trivy as part of our CI/CD and the security issues come up on a docker image that we're building for mintie. I can't get you the docker image at the moment, but this is the basic Dockerfile:
There are a couple of ways to run trivy against either the image or within a running container. The options we're using are essentially I also reproduced the following trivy report by starting with an official Ubuntu 22.04 container. I cloned the bpipe repo, built it (somewhat unsuccessfully I'm afraid as some unit tests failed), and then installed and ran trivy:
|
Running trivy against version 0.9.1 reports 25 critical vulnerabilities in dependent libraries used by bpipe.
For example:
Would it be possible to update com.fasterxml.jackson.core:jackson-databind and org.apache.tika:tika-core?
The text was updated successfully, but these errors were encountered: