Question regarding official Docker images

[YuzuuTea]

Hi,

I've been tinkering with PowerDNS for a while now, and noticed that the "official" Docker images contain vulnerabilities (at least, according to Trivy when I pulled the images through it). And while the reports from these types of scans aren't always on correct (e.g. false positives), it did make me wonder! As I could conclude that there are extra packages included in said images, whereas the PowerDNS binary itself only has a select number of packages as a requirement.

So I was wondering/curious, is there a reason why the "official" Docker images contain these extra packages, and why the vulnerabilities aren't mitigated once observed?

[rgacogne]

Our images are built on an existing image (trixie-slim lately) that often contains more packages than what is strictly required to run PowerDNS itself, but I'm not aware of any trivial solution to only include what is needed.
Regarding the security vulnerabilities that you observed, are any of them actually relevant in the context of a container running PowerDNS? Because these scanners warn about any package installed in the image even if it's not used, or not used in a way relevant to the reported security issue.

[YuzuuTea]

that often contains more packages than what is strictly required to run PowerDNS itself

That explains why they were observed by Trivy. And as you pointed out, it picks up any package it can find and reports them. Even if they aren't used by PowerDNS itself.

I'd personally would prefer images that only serve a single purpose (in this case PowerDNS) and contain only packages related to it, but I can understand why an existing image is used. Thanks for the information!