We are using openjdk:8-jdk-alpine as the base image in a docker image. Getting this jq:1.6-r0 is affected by CVE-2016-4074 and tried jq>1.6_rc1-r0 this as well. But it hasn’t resolved the issue as shown below.
Here is the Dockerfile
Could anyone guide/suggest how can we resolve this issue?
Alpine 3.9 comes with an older (affected) version of jq v1.6-r0
Only Alpine 3.12 and higher comes with the fixed version of jq v1.6-r1
You can see this here:
If you are security-aware, you should upgrade your alpine and generally use up to date versions of most things, if not, then you probably have nothing to worry about.
In regards to your follow up question in the comment, about upgrading
jq without upgrading the base image:
- I do not know of a way to get an official apk package from a newer alpine.
- As with any other linux, although it is usually better to rely on the official package manager, you can still opt to build from source or download a pre-built binary.
For example, to get the latest available
jq (version 1.6) on alpine, directly from the GitHub release page, you can do this:
FROM alpine RUN apk add wget RUN wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && mv jq-linux64 /usr/local/bin/jq && chmod +x /usr/local/bin/jq