Currently, my company wants to ensure that everything is secure, and now I'm doing some tests to verify that our Docker containers achieve this.
My first concern comes in after I realized that after running docker scan ... (that uses Snyk) a Critical vulnerability was found, regarding curl(curl/libcurl4@7.74.0-1.3).
The obvious fix to this was to add to the Dockerfile some scripting to delete that version and then do a manual update using the latest curl release, problem fixed right? Appears that isn't ...
After doing a second scan with the updated docker image, the same outdated versions keep appearing, and this is very strange because we should see the new curl version no?
So my specific doubt here is:
Q - No matter what we do, we always carry the dependencies that came in with the (pre-built)docker image?
This is the base image that I'm using: php:8.0-apache
Any help would be appreciated.
Thanks,
When you update the image adding the instructions with the update as you mentioned (assuming the latest release of curl addressed that issue), Snyk should reflect the changes.
I'd suggest logging a support ticket for further technical investigation.