I’m reaching out to you to request a system upgrade for the base image snowplow/base-debian. We’re using it for customization of the snowplow modules (loader, collector etc.) and the last time this image was updated was 3 years. Since then many vulnerabilities in the debian system packages (and the package management system itself) have been detected and resolved. Running the system upgrade every time on build in our custom image is costly. Please, update the image by upgrading the system.
As your intention is just to run dataflow-runner inside a docker image, my advice is to use our official dataflow-runner image. It is available on docker hub here.
docker pull snowplow/dataflow-runner:0.7.3
That image is built upon a fairly new version of alpine linux.
Historically, we used to maintain the snowplow/base-debian image because we used it internally as a base all our other applications (collector, enrich, loaders etc). However, over the last few years we have switched to using 3rd party base images for those applications, e.g. alpine, eclipse-temurin and distroless.
For this reason, I think it is very unlikely that we update snowplow/base-debian ever again. We have ceased to need it ourselves, and I don’t think we provide any real benefit to the community by maintaining it as we were.
If you need any help finding our configuring our supported snowplow docker images, then I’d be happy to help you further.
Our internal scans show that the latest image for streamloader (1.6.5-distroless) is not subject to this vulnerability as it uses firstname.lastname@example.org+deb11u4 on a Bullseye basis (Ubuntu 20.04) rather than the vulnerable version (Buster, OpenSSL 1.1.1n-0+deb10u3).