I’m storing a customization of octopusdeploy/tentacle in an AWS Private Container Repo that has “basic” scanning enabled. That scanning is reporting one critical and multiple high level CVEs against the container image.
Can you update the published image of octopusdeploy/tentacle please? If you like I can log a github issue against the image?
Note that one of the first steps I run in my Dockerfile is to apt update
Thanks so much for alerting us to this. I’m going to pass this information along to our engineers. I will get back with you if there are any questions or feedback. Please feel free to reach out in the meantime or with any other questions.
I spoke with our engineers last night and they had the following to cascade:
The CVEs are a result of us using a base image that’s no longer supported, but the good news is we’re almost done upgrading Tentacle to .NET 6. We’ve confirmed that the .NET 6 build only has LOW CVEs and is considered secure. We’re looking to ship this with 2022.4 very soon, so the fix is on the way. To cover our bases we confirmed that our Windows image gets the latest patches every night.
Please let me know if that helps or if you have any other questions or concerns.
