Replies: 2 comments 1 reply
-
Hello @DavoBR,
I've cleaned your upload, as I'm not a fan of XLSX files in the wild. Could you instead put a text variant directly in your post?
Here's the list of current dependencies: https://github.com/gotenberg/gotenberg/blob/main/build/Dockerfile
I feel like people are more and more complaining about this, mostly because of automation. They don't like their tool telling them "hey, I found these CVEs", so they come here saying "plz fix" but without an actual plan. Most of the time, those CVEs are on upstream dependencies, so even if I trigger a rebuild of the Gotenberg image, if there is no fix upstream, it's useless. I could work on an alternative solution as described here #676, but I don't have the time currently to work on it. |
Beta Was this translation helpful? Give feedback.
-
Sure, I have already edited the main post by adding a CSV version.
I agree with you. My reason for starting this discussion is to find out if anyone else has attempted to address the CVEs or if there is a plan to remediate them. Most of the observations presented in the analysis refer to libraries in the Debian image. There are others that can be fixed by updating the components you use, such as Java, LibreOffice, Chromium, etc. However, considering the possibility of using a distro with fewer vulnerabilities could be helpful. I have already started doing some tests using Alpine and the LibreOffice package. I am currently studying your unoconv scripts. I don't have much time to dedicate to this either, but we'll see how it goes and I'll share my results. |
Beta Was this translation helpful? Give feedback.
-
Hello everyone,
I would like to open a discussion on the possibility of using alpine as a base image instead of debian:12-slim.
I have noticed that the debian:12-slim image has some known CVE vulnerabilities, and I am concerned about the security of the tool. Alpine is a smaller and more secure base image that could be a viable alternative.
To contribute to this discussion:
Gotenberg8_CloudGuardResults.csv
I would like to know if anyone has tried using alpine or has any opinions on its viability as a base image.
I would also like to hear the community's thoughts on the overall security of the tool and whether there are any other measures that could be taken to improve it.
I appreciate your comments and feedback on this topic.
Beta Was this translation helpful? Give feedback.
All reactions