The base linux image being used has a package with vulnerability CVE-2022-29162

[poyamz]

The mysql docker image we are using mysql:5 appears to be using the package github.com/opencontainers/runc which has the following known issue - CVE-2022-29162

The suggested fix is to update the package to version 1.1.2

[wglambert]

runC is a client wrapper around libcontainer, it isn't present in the container itself. (A Dockercon talk about runC https://www.youtube.com/watch?v=ZAhzoz2zJj8)

$ docker run -it --rm mysql:5 bash
root@8d23b92002c9:/# apt list --installed | grep -i runc

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

root@8d23b92002c9:/#

See https://github.com/docker-library/faq#why-does-my-security-scanner-show-that-an-image-has-cves
And docker-library/openjdk#449 (comment), docker-library/postgres#286 (comment) docker-library/openjdk#161, docker-library/openjdk#112, docker-library/postgres#286, docker-library/drupal#84, docker-library/official-images#2740, docker-library/ruby#117, docker-library/ruby#94, docker-library/python#152, docker-library/php#242, docker-library/buildpack-deps#46, docker-library/openjdk#185.

A CVE doesn't imply having an actual vulnerability, and often is even a false positive (given how most distributions handle versioning/security updates in stable releases). If there are actionable items we can resolve, we're happy to do so (and do so actively). We update all Debian based images to include any updates in apt packages at least monthly (we regenerate the base images and then rebuild all dependent images).

If you have further questions you could also try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow. Since these repos aren't really a user-help forum