Skip to content

The image contains 4 high vulnerabilitiesDocker DX (docker-language-server)(critical_high_vulnerabilities) #2247

New issue
New issue
Open
Open
The image contains 4 high vulnerabilitiesDocker DX (docker-language-server)(critical_high_vulnerabilities)#2247
Labels
bugSomething isn't working
@a67793581

Description

@a67793581
a67793581
opened on Nov 18, 2025

Describe the bug

The Docker image apache/age:release_PG17_1.6.0 contains 4 high security vulnerabilities, which poses a security risk when used in production environments.

How are you accessing AGE (Command line, driver, etc.)?

  • Docker image

What data setup do we need to do?

N/A - This is a base image security issue, not related to data setup.

What is the necessary configuration info needed?

  • Using the official Apache AGE Docker image: apache/age:release_PG17_1.6.0
  • Docker image scanning reveals: 0 Critical, 4 High, 9 Medium, 29 Low vulnerabilities

What is the command that caused the error?

FROM apache/age:release_PG17_1.6.0

When scanning the image with Docker security tools, the following vulnerabilities are detected:

Current image vulnerabilities: 0C 4H 9M 29L

Expected behavior

The base Docker image should be regularly updated to patch known security vulnerabilities. The image should have minimal or no high-severity vulnerabilities, especially for production use.

Environment (please complete the following information):

  • Version: apache/age:release_PG17_1.6.0
  • PostgreSQL Version: 17
  • AGE Version: 1.6.0

Additional context

This issue affects anyone using the official Apache AGE Docker image as a base image. The vulnerabilities should be addressed by:

  1. Updating base packages in the image
  2. Rebuilding and publishing a new image version with security patches
  3. Providing regular security updates for the Docker image

The Dockerfile in question:

FROM apache/age:release_PG17_1.6.0
ARG PG_MAJOR=17

ADD https://github.com/pgvector/pgvector.git#v0.8.1 /tmp/pgvector

RUN apt-get update && \
    apt-mark hold locales && \
    apt-get install -y --no-install-recommends build-essential postgresql-server-dev-$PG_MAJOR && \
    cd /tmp/pgvector && \
    make clean && \
    make OPTFLAGS="" && \
    make install && \
    mkdir /usr/share/doc/pgvector && \
    cp LICENSE README.md /usr/share/doc/pgvector && \
    rm -r /tmp/pgvector && \
    apt-get remove -y build-essential postgresql-server-dev-$PG_MAJOR && \
    apt-get autoremove -y && \
    apt-mark unhold locales && \
    rm -rf /var/lib/apt/lists/*

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions