Trivy reporting vulnerabilities on Pimcore image #228
Description
Hi,
I'm using image pimcore/pimcore:php8.2-latest for Pimcore environments, integrating with trivy tools for vulnerability scanning.
The result: Total: 212 (HIGH: 203, CRITICAL: 9). The details report is attached in .txt format.
My main question is whether those issues are awareness from Pimcore? Any plan to fix/improve to reduce risks, please let me know.
If you want to reproduce, you can use the following content as a Dockerfile.
# Simple test container with Trivy security scanner
FROM pimcore/pimcore:php8.2-latest
# Switch to root to install packages
USER root
# Install Trivy security scanner
RUN apt-get update && \
apt-get install -y wget apt-transport-https gnupg lsb-release && \
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor -o /usr/share/keyrings/trivy.gpg && \
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/trivy.list && \
apt-get update && \
apt-get install -y trivy && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Copy application code
COPY . /var/www/html
# Create Trivy cache directory and set ownership
RUN mkdir -p /var/www/.cache && \
chown -R www-data:www-data /var/www/html /var/www/.cache
# Switch back to www-data user
USER www-data
# Set environment variables for Trivy
ENV XDG_CACHE_HOME=/var/www/.cache
WORKDIR /var/www/html
# Exec container to run command
# trivy filesystem --severity HIGH,CRITICAL --format table / > /var/www/html/trivy-report-table.txt
# Keep container running so you can exec into it
CMD ["tail", "-f", "/dev/null"]
Thanks for your supports!