I have build a docker file using the Ignition Docker image 8.1.25. When I initiate the build and the deploy process with our organization, it gets scanned for vulnerabilities and if it has a critical vulnerability then it wont allow it to be deployed to our production environment.
In this case, it shows that it has a critical vulnerability on
usr/local/bin/ignition/lib/core/client@* › xalan:email@example.com
and the fix to be:
Upgrade to xalan:firstname.lastname@example.org
Is there a Ignition Docker image that has this fix? If not, how can I upgrade this?
This is from NVD - CVE-2022-34169, and we've got an active ticket to mitigate this one.
Is there a time table on this?
It's in a backlog right now, but I'll add this forum post to the ticket which will bump the customer count / priority a little.
edit: oops, KC already did that.
You can probably build yourself a customer docker image based on the 8.1.28 (or 8.1.25 if you're gonna stay there) where you either replace the JAR file with the newer one or just remove it all together.
We've scheduled it for removal, along with a batch of upgrades to other libraries affected by various CVEs.
I am going to test 8.1.28, but its not going to affect anything if I just remove the jar file?
Maybe, maybe not
The bulk of the work for the ticket to remove it is to find that out. We don't think so... but...
What is or was the purpose of that jar file?
Provides an XML/XSLT implementation that should be baked into the JDK now. It's an artifact from long ago.