经过安全扫描,原先基于 CentOS 8.3.2011、Apache Tomcat 8.5.61、Oracle JDK 1.8.0_271制作的镜像(tomcat8.5.61:v1.0)的组件被扫描出了高危漏洞(如下图所示)
下载组件最新的rpm包,然后使用dockerfile重新创建镜像tomcat8.5.61:v1.1,过程记录如下:
# docker build -t tomcat8.5.61:v1.1 .
Sending build context to Docker daemon 2.573MB
Step 1/6 : FROM tomcat8.5.61:v1.0
---> ef56dcd898b4
Step 2/6 : MAINTAINER cnskylee from (cnskylee@)
---> Running in 2b3e6c9cef0d
Removing intermediate container 2b3e6c9cef0d
---> 639ab62b8e8b
Step 3/6 : ADD openssl-libs-1.1.1g-12.el8_3.x86_64.rpm /
---> 7624f4f7241e
Step 4/6 : ADD gnutls-3.6.14-7.el8_3.x86_64.rpm /
---> 3399af28614a
Step 5/6 : RUN yum install openssl-libs-1.1.1g-12.el8_3.x86_64.rpm -y
---> Running in 83a75db7cf6f
CentOS Linux 8 - AppStream 749 kB/s | 6.3 MB 00:08
CentOS Linux 8 - BaseOS 505 kB/s | 2.3 MB 00:04
CentOS Linux 8 - Extras 6.6 kB/s | 8.6 kB 00:01
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Upgrading:
openssl-libs x86_64 1:1.1.1g-12.el8_3 @commandline 1.5 M
Installing dependencies:
openssl x86_64 1:1.1.1g-12.el8_3 baseos 707 k
Installing weak dependencies:
openssl-pkcs11 x86_64 0.4.10-2.el8 baseos 66 k
Transaction Summary
================================================================================
Install 2 Packages
Upgrade 1 Package
Total size: 2.2 M
Total download size: 773 k
Downloading Packages:
(1/2): openssl-pkcs11-0.4.10-2.el8.x86_64.rpm 52 kB/s | 66 kB 00:01
(2/2): openssl-1.1.1g-12.el8_3.x86_64.rpm 75 kB/s | 707 kB 00:09
--------------------------------------------------------------------------------
Total 75 kB/s | 773 kB 00:10
warning: /var/cache/dnf/baseos-f6a80ba95cf937f2/packages/openssl-1.1.1g-12.el8_3.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 8483c65d: NOKEY
CentOS Linux 8 - BaseOS 183 kB/s | 1.6 kB 00:00
Importing GPG key 0x8483C65D:
Userid : "CentOS (CentOS Official Signing Key) <security@>"
Fingerprint: 99DB 70FA E1D7 CE22 7FB6 4882 05B5 55B3 8483 C65D
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Key imported successfully
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Upgrading : openssl-libs-1:1.1.1g-12.el8_3.x86_64 1/4
Running scriptlet: openssl-libs-1:1.1.1g-12.el8_3.x86_64 1/4
Installing : openssl-1:1.1.1g-12.el8_3.x86_64 2/4
Installing : openssl-pkcs11-0.4.10-2.el8.x86_64 3/4
Cleanup : openssl-libs-1:1.1.1g-11.el8.x86_64 4/4
Running scriptlet: openssl-libs-1:1.1.1g-11.el8.x86_64 4/4
Verifying : openssl-1:1.1.1g-12.el8_3.x86_64 1/4
Verifying : openssl-pkcs11-0.4.10-2.el8.x86_64 2/4
Verifying : openssl-libs-1:1.1.1g-12.el8_3.x86_64 3/4
Verifying : openssl-libs-1:1.1.1g-11.el8.x86_64 4/4
Upgraded:
openssl-libs-1:1.1.1g-12.el8_3.x86_64
Installed:
openssl-1:1.1.1g-12.el8_3.x86_64 openssl-pkcs11-0.4.10-2.el8.x86_64
Complete!
Removing intermediate container 83a75db7cf6f
---> 7fab26694ced
Step 6/6 : RUN yum install gnutls-3.6.14-7.el8_3.x86_64.rpm -y
---> Running in 438aa7f078a9
Last metadata expiration check: 0:00:15 ago on Thu Jan 14 07:03:07 2021.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Upgrading:
gnutls x86_64 3.6.14-7.el8_3 @commandline 1.0 M
Installing dependencies:
trousers-lib x86_64 0.3.14-4.el8 baseos 169 k
Installing weak dependencies:
trousers x86_64 0.3.14-4.el8 baseos 153 k
Transaction Summary
================================================================================
Install 2 Packages
Upgrade 1 Package
Total size: 1.3 M
Total download size: 322 k
Downloading Packages:
(1/2): trousers-lib-0.3.14-4.el8.x86_64.rpm 135 kB/s | 169 kB 00:01
(2/2): trousers-0.3.14-4.el8.x86_64.rpm 14 kB/s | 153 kB 00:11
--------------------------------------------------------------------------------
Total 23 kB/s | 322 kB 00:14
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : trousers-lib-0.3.14-4.el8.x86_64 1/4
Running scriptlet: trousers-lib-0.3.14-4.el8.x86_64 1/4
Running scriptlet: trousers-0.3.14-4.el8.x86_64 2/4
Installing : trousers-0.3.14-4.el8.x86_64 2/4
Running scriptlet: trousers-0.3.14-4.el8.x86_64 2/4
Upgrading : gnutls-3.6.14-7.el8_3.x86_64 3/4
Cleanup : gnutls-3.6.14-6.el8.x86_64 4/4
Running scriptlet: gnutls-3.6.14-6.el8.x86_64 4/4
Verifying : trousers-0.3.14-4.el8.x86_64 1/4
Verifying : trousers-lib-0.3.14-4.el8.x86_64 2/4
Verifying : gnutls-3.6.14-7.el8_3.x86_64 3/4
Verifying : gnutls-3.6.14-6.el8.x86_64 4/4
Upgraded:
gnutls-3.6.14-7.el8_3.x86_64
Installed:
trousers-0.3.14-4.el8.x86_64 trousers-lib-0.3.14-4.el8.x86_64
Complete!
Removing intermediate container 438aa7f078a9
---> 1aee80f787ed
Successfully built 1aee80f787ed
Successfully tagged tomcat8.5.61:v1.1
将创建的镜像上传到镜像仓库,并再次扫描,发现漏洞已经成功修复。