Maria DB vulnerabilities

Hi @tabbyfoo

having lot of vulnerability related to mariaDB in latest liquibase docker image … can anyone plz suggest how to remove mariaDB from liquibase …


Hi @tejas . Can you provide the CVE numbers for the mariadb driver that is included in the the docker image that Liquibase provides so that we can assess which version of the driver we would need to update to in order to fix or mitigate the risk of that driver.
Second, in order to remove the mariadb driver from the docker image, you have 2 options that I can think of and they both involve creating your own docker image.
One would be to build your own docker image and include liquibase core with any/all the drivers that you would like using this file as a basis.

The second would be to use lpm to remove the driver from the docker image that you build as well.
See this as an example where instead of running lpm add you would use
lpm remove mariadb

Very similar to the MYSQL example in the readme
FROM liquibase/liquibase
RUN lpm remove mariadb --global

This will use the latest docker image and create a new one where you run
docker build . -t liquibase/liquibase-nomariadbdriver

Please find long list below

CVE-2022-1304 e2fsprogs:1.46.2-2
CVE-2021-33560 libgcrypt20:1.8.7-6
CVE-2022-27376 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27379 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27385 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27381 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27382 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27386 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27456 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27457 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27380 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27448 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27452 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27451 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2021-46669 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27383 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27449 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27445 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27455 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27458 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27378 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27446 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27387 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27444 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27377 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27384 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-27447 mariadb-10.5:1:10.5.15-0+deb11u1
CVE-2022-29458 ncurses:6.2+20201114-2
CVE-2020-16156 perl:5.32.1-4+deb11u2
CVE-2021-45346 sqlite3:3.34.1-3
CVE-2022-0530 unzip:6.0-26
CVE-2022-0529 unzip:6.0-26
CVE-2021-31879 wget:1.21-1+deb11u1
CVE-2018-25032 zlib:1:1.2.11.dfsg-2

used 2nd option as suggested by you

lpm remove mariadb --global
mariadb-java-client-3.0.4.jar successfully uninstalled from classpath. (got this msg in response)

But still getting multiple vulnerabilities related to mariadb
looks like it is tightly coupled in liquibase original code

I am only using mysql so want to get rid of mariadb which is showing lot of issues in vulnerability scan

@tejas Thanks for the response. Not sure why you are still seeing vulnerabilities when the mariadb driver no longer exists in the image. What are you using to view the vulnerabilities or what software is showing that the liquibase container has vulnerabilities with MariaDB once the driver is removed.
The list provided also shows server side vulnerabilities. We only add the driver side to the docker image. There is no MariaDB server in the image.

we are using AWS ECR scan