-
Type:
Epic
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: Docker Image, Security
-
Tags:
-
Team(s):PLATFORM
Following the needs of Hyland Cloud/Security and our on-premise customers regarding security issues and CVEs, we want to improve our processes to be more proactive regarding the fixes and scans.
For the LTS 2023, we want to:
- Fix the current High vulnerabilities
- Fix the current Medium vulnerabilities (required by our Fedramp customers)
- Increase the Grype Docker scan threshold to "medium" to make sure no medium vulnerability issues are in our delivered Docker image.
To help us fix most of the Docker image CVEs still opened, we may want to study the move to Oracle Linux 9 instead of Rocky Linux 9. See SUPINT-2347 for some Grype reports comparing the current RockyLinux 9 and Oracle Linux 9.
Currently, we are Grype scanning a bare Nuxeo Docker image, without any packages installed. To improve the security of all our deliverables, we also want to do a Grype scan with all potential Nuxeo packages installed in a Docker image to make sure our packages do not come with vulnerable dependencies.
