Security Vulnerabilities in older images

[pbolduc]

We are using image docker.io/bcgovimages/common-object-management-service:0.4. The platform team has reported a number, including one critical. Would it be possible to create a new release that rebuilds the image with non-vulnerable/less vulnerable versions of these dependencies and create page image tag?

Ideally we would upgrade to newer versions but due to changes in the API the effort would be more than just upgrading the image.

[TimCsaky]

Hi Phil. I suppose it would involve:
1- checking out the COMS repo when we did release 4.0 (commit c6f441f7ba811134f2bee1170578713df0adf450)
2- resolving NPM package vulnerabilities by doing package updates (hopefully without breaking changes)
3- building a new image and pushing it to bcgovimages Dockerhub.

When I run npm audit of version 4.0 I see: 22 vulnerabilities (2 low, 10 moderate, 9 high, 1 critical)
After doing npm audit fix is see: 4 high severity vulnerabilities
So that's some quick improvement.
I suspect the remaining vulnerabilities would require potentially breaking changes.. and some testing.

I'll have to suggest the idea to my team and get back to you.

[TimCsaky]

@pbolduc
Hi Phil.
I've attempted to provide an updated image for version 0.4.3 of COMS.
https://hub.docker.com/layers/bcgovimages/common-object-management-service/0.4.3/images/sha256-522df97679e13f965fb69eec6b0329ba13f8515e74d6d8836c23948885947c8d?context=explore
But PLEASE TEST IT FIRST.

code changes:
c6f441f...564c5d6

[pbolduc]

Great, I will give this a test this week. I will get a task in our backlog to upgrade to the newer versions. Being stuck on the older one is not a good position to be in.

[TimCsaky]

Hey Phil. just a heads-up.
bcgov are retiring the bcgovimages DockerHub account.. so we are currently unable to provide a docker image for COMS on dockerHub. The alternative is to find the image via our ghcr.io package or in the Artifactory cache:
artifacts.developer.gov.bc.ca/github-docker-remote