Hi Open Foris team! 👋
My team at SolDevelo recently open-sourced an infrastructure auditor called InfraScan. We've been running it against several high-impact open-source projects to test its capabilities and provide helpful feedback to the community.
We scanned the openforis/arena repository and noticed that the installation instructions in the README.md file currently suggest pulling an outdated Docker image for the local database setup.
The Finding:
The documentation instructs users to run:
docker run -d --name arena-db -p 5444:5432 -e POSTGRES_DB=arena -e POSTGRES_PASSWORD=arena -e POSTGRES_USER=arena postgis/postgis:12-3.0
The scanner flagged the postgis/postgis:12-3.0 image, which currently contains 107 known vulnerabilities (including 61 High severity). Because this relies on an older Debian base and PostgreSQL 12 (which is nearing its End of Life), it lacks years of critical security patches.
You can view the detailed CVE breakdown from our scan here:
👉 https://infrascan.soldevelo.com/?scan_id=6e0e6c83-9a4f-40b7-8931-83d865539e42
Proposed Solution:
Since the Arena platform is used by researchers and institutions globally, it would be beneficial to update the README.md to recommend a newer, actively patched version of the PostGIS image (e.g., postgis/postgis:16-3.4 or postgis/postgis:15-3.4). This ensures that new users and students spinning up Arena locally or on their servers aren't inadvertently deploying vulnerable databases.
Automated Scanning:
If you'd like to catch these types of outdated container references automatically, you can plug our open-source scanner directly into your GitHub Actions. It's completely free and requires no cloud credentials. You can find the tool and documentation here: https://github.com/SolDevelo/InfraScan.
I hope this information is helpful in keeping the Arena deployments secure! Let me know if you'd like me to submit a quick PR updating the README snippet. 🚀
Hi Open Foris team! 👋
My team at SolDevelo recently open-sourced an infrastructure auditor called InfraScan. We've been running it against several high-impact open-source projects to test its capabilities and provide helpful feedback to the community.
We scanned the
openforis/arenarepository and noticed that the installation instructions in theREADME.mdfile currently suggest pulling an outdated Docker image for the local database setup.The Finding:
The documentation instructs users to run:
docker run -d --name arena-db -p 5444:5432 -e POSTGRES_DB=arena -e POSTGRES_PASSWORD=arena -e POSTGRES_USER=arena postgis/postgis:12-3.0The scanner flagged the
postgis/postgis:12-3.0image, which currently contains 107 known vulnerabilities (including 61 High severity). Because this relies on an older Debian base and PostgreSQL 12 (which is nearing its End of Life), it lacks years of critical security patches.You can view the detailed CVE breakdown from our scan here:
👉 https://infrascan.soldevelo.com/?scan_id=6e0e6c83-9a4f-40b7-8931-83d865539e42
Proposed Solution:
Since the Arena platform is used by researchers and institutions globally, it would be beneficial to update the
README.mdto recommend a newer, actively patched version of the PostGIS image (e.g.,postgis/postgis:16-3.4orpostgis/postgis:15-3.4). This ensures that new users and students spinning up Arena locally or on their servers aren't inadvertently deploying vulnerable databases.Automated Scanning:
If you'd like to catch these types of outdated container references automatically, you can plug our open-source scanner directly into your GitHub Actions. It's completely free and requires no cloud credentials. You can find the tool and documentation here: https://github.com/SolDevelo/InfraScan.
I hope this information is helpful in keeping the Arena deployments secure! Let me know if you'd like me to submit a quick PR updating the README snippet. 🚀