Our organization requires us to patch all High/Critical vulnerabilities in our docker images, before we could deploy them to production. Currently our build of discourse, which is based on discourse/base:2.0.20251008-0017-web-only, has a few of them which we are trying to patch if possible. Below is the list of vulnerabilities we need to patch.
Could you give me any guidance on whether updating any of these blindly to versions which have fixed these vulnerabilities, will cause any issues ? If yes, how can we find out if an upgrade is causing an issue ?
Also, I notice that there are lots of golang related vulnerabilities. Does discourse use golang in any way during the runtime, or can we just completely purge it from the final image ? Same goes for python too.
I think you could just give it a try and see what happens. A bunch of people have a full time job of managing security and library versions.
But wait. If you’re looking at the base Docker image (oh, maybe you do mean the image that you built; I can’t quite tell), then I’d think that your job is impossible, since lots of that stuff gets managed in the Discourse source. For example, this commit upgrades Rack to 2.2.20. The version in the base docker image doesn’t matter. You probably want to build your image with launcher and then see what versions of stuff you have. You could then add some yaml to remove go and python, for example.
Also, there are a bunch of security issues that are issues only when there are other users on the system, so having those in your Docker container doesn’t really matter, so it’s not likely to be a priority for the Discourse team.