microsoft
cbl-mariner/distroless image is not getting patches at same time as cbl-mariner/base/core
Hi, my company started using cbl-mariner/distroless images for building our java applications but we are currently seeing more vulnerabilities than the cbl-mariner/base/core. This is from our Aqua scans
images built 3/5/2024 cbl-mariner/base/core = 0 vulnerabilities cbl-mariner/distroless = 9 High , 17 Medium
It looks like the cbl-mariner/distroless base image is not using the latest mariner-base OS when building. Is it possible for you to schedule the distroless build after all the base/core is finished building? It seems that all the mariner builds are running at the same time.
Thanks.
Hi @georgenuesca
Thank you for bringing this to our attention. Upon verification, I can confirm that our latest distroless/base image and base/core are indeed published with the latest packages. However, it's possible that the vulnerabilities you're encountering stem from additional packages installed beyond our image. Could you provide details on these packages that contain CVEs for further investigation?
Also, would you be able to share more about your dockerfile steps? Please feel free to mask any sensitive data that you don't want to share.
@georgenuesca it's been a while since we hear from you. I'll close this bug for now, feel free to re-open when you are ready/or if you still need our assistance.
