From 378ee25bf78859748908a99ccaa58938884c6ff0 Mon Sep 17 00:00:00 2001 From: NyakudyaA Date: Tue, 31 Dec 2024 18:18:58 +0200 Subject: [PATCH] fix readme to make it verbose --- README.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e7c353e1..e168089a 100755 --- a/README.md +++ b/README.md @@ -651,12 +651,17 @@ issues. For urgent upstream problems, you will need to get paid support from the developers in [GeoServer](https://geoserver.org/). ### Security Vulnerabilities -The published image uses [Trivy](https://trivy.dev/latest/) for scanning vulnerabilities. The vulnerabilities +The published image uses [Trivy](https://trivy.dev/latest/) to scan vulnerabilities. These vulnerabilities are listed in the [security section](https://github.com/kartoza/docker-geoserver/security/code-scanning). -You can also use other tools to scan the image for vulnerabilities. If you -discover vulnerabilities related to how this image is packaged please raise it -as an issue and label it with `security` tag. For reporting other upstream security -issues please follow the guidelines from [upstream geoserver](https://github.com/geoserver/geoserver/blob/main/SECURITY.md) +You can also use other tools to scan the image for vulnerabilities i.e. `docker scan`. +The images also inherit vulnerabilities from the base images i.e. [tomcat:9.0.91-jdk11-temurin-focal](https://hub.docker.com/_/tomcat/tags?name=9.0.91-jdk11-temurin-focal). +So when reporting please vulnerabilities please try to distinguish them from the following: +* Base image vulnerabilities - These should be reported in the upstream tomcat repository +and if any fix is applied, we will have to build a new image using a newer image tag. +* Packages installed with these images i.e. gosu. These should be reported as an +issue in this repository and should be tagged with the `security` label. +* Vulnerabilities directly related to libs installed with the GeoServer application, these +should be reported upstream following the guidelines from [upstream geoserver](https://github.com/geoserver/geoserver/blob/main/SECURITY.md) Other platforms where users can ask questions and get assistance are listed below: * [Stack Exchange](https://stackexchange.com/)