We are using the provided alfresco enterprise containers to deploy Alfresco in the Azure Kubernetes Cluster.
In terms of container security we are using trivy to scan the images for vulnerabilities.
We have used trivy to scan the acs image in version 7.0.1 with following command:
trivy -d quay.io/alfresco/alfresco-content-repository:7.0.1
The result is:
quay.io/alfresco/alfresco-content-repository:7.0.1 (centos 8.4.2105) ==================================================================== Total: 337 (UNKNOWN: 0, LOW: 139, MEDIUM: 178, HIGH: 16, CRITICAL: 4)
Even the new Alfresco Content repository 7.1.0 image has several known security issues, even more than the older version.
quay.io/alfresco/alfresco-content-repository:7.1.0 (centos 7.9.2009) ==================================================================== Total: 810 (UNKNOWN: 0, LOW: 410, MEDIUM: 389, HIGH: 9, CRITICAL: 2)
Fun fact: For the newer version of acs there is a os-downgrade to centos 7.9 (instead of centos 8.4 in acs-7.0.1), so it would explain the higher number of issues.
For me these results are not acceptable as we need to deploy a docker container of an Enterprise software on a customer platform with high and critical issues.
@angelborroy : Do you know more about the process behind docker container updates and fixing security issues? Do you already scan your docker images for security issues? Do you know where to submit these issues- In the github project https://github.com/Alfresco/acs-packaging/ or as support ticket?
Solved! Go to Solution.
Great @jego
I'll follow this case.
Since we are using different vulnerability tools, I guess we should need to identify those reports from Trivy.
Additionally, the move to CentOS 8 to CentOS 7 was related with CentOS 8 EOL for December 2021:
https://www.centos.org/centos-linux-eol/
In general, you can open issue here: https://github.com/Alfresco/acs-packaging/
@amanda_roberts or @angelborroy May be able to direct you to a correct channel to open the ticket with support and followups.
Thanks for the detailed report, Jens.
We are using different tools in order to identify vulnerabilities in our Docker Images. This process is proactively used for every release, but there may be something we're missing.
Let me verify the impact of the vulnerabilities identified by Trivy and I'll be back with additional information.
I have also created a support case - thenumber is 00556732- maybe you can have a look into it because there are some answers already from Scott.
Thx
Great @jego
I'll follow this case.
Since we are using different vulnerability tools, I guess we should need to identify those reports from Trivy.
Additionally, the move to CentOS 8 to CentOS 7 was related with CentOS 8 EOL for December 2021:
https://www.centos.org/centos-linux-eol/
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.