From bec7b6ede27eef968af1a5df96c6f409e44b0d12 Mon Sep 17 00:00:00 2001 From: "Ajeet Singh Raina, Docker Captain, ARM Innovator" Date: Sat, 13 Jul 2024 08:31:07 +0530 Subject: [PATCH] Update README.md --- README.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/README.md b/README.md index 57bf9eb..118981f 100644 --- a/README.md +++ b/README.md @@ -48,6 +48,51 @@ Hello World! If you're using Docker Desktop, you should be able to see vulnerabilities right now on your Docker dashboard. +image + +There are 2 major vulnerabilties reported - the first one is related to OpenSSL package and other one is with Express 4.17.3. +It says that Impact Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs. +That means we need to update our Express v4.17.3 to 4.19.2 + + +image + + + +Open up package.json in a terminal window and change express from 4.17.3 to 4.19.2 and rebuild it this time with v2.0 + +``` +docker build -t scout-demo:v2 . +``` + +image + + +You will find that express vulnerabilities is now fixed. + +image + +You will see that the OpenSSL vulnerability is still there. To fix this, open up your Dockerfile and add openssl as shown below: + +``` +RUN apk add --no-cache \ + nodejs \ + openssl +``` + +Try re-building the Docker image with v3.0 this time: + +``` +docker build -t scout-demo:v3 . +``` + +This time, you will find all the vulnerabilities are fixed. + +image + + + + ## Create and push the repository on Docker Hub: