Unable to download the jq package

We are using openjdk:8-jdk-alpine as the base image in a docker image. Getting this jq:1.6-r0 is affected by CVE-2016-4074 and tried jq>1.6_rc1-r0 this as well. But it hasn’t resolved the issue as shown below.

enter image description here

Here is the Dockerfile

FROM openjdk:8-jdk-alpine3.9

ENV PACKAGES=”jq>1.6-r0″

Could anyone guide/suggest how can we resolve this issue?

Answer

Alpine 3.9 comes with an older (affected) version of jq v1.6-r0

Only Alpine 3.12 and higher comes with the fixed version of jq v1.6-r1

You can see this here:
https://pkgs.alpinelinux.org/packages?name=jq&branch=v3.9

If you are security-aware, you should upgrade your alpine and generally use up to date versions of most things, if not, then you probably have nothing to worry about.


In regards to your follow up question in the comment, about upgrading jq without upgrading the base image:

  1. I do not know of a way to get an official apk package from a newer alpine.
  2. As with any other linux, although it is usually better to rely on the official package manager, you can still opt to build from source or download a pre-built binary.

For example, to get the latest available jq (version 1.6) on alpine, directly from the GitHub release page, you can do this:

FROM alpine

RUN apk add wget

RUN wget https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 && 
    mv jq-linux64 /usr/local/bin/jq && 
    chmod +x /usr/local/bin/jq