Longhorn uses Trivy to scan for vulnerability issues in Longhorn deliverable artifacts (container images) and component application binaries (library dependencies).

In each Longhorn release, regardless of the type (major, minor, or patch), all Longhorn container images will be updated with the latest security patches provided by BCI (https://www.suse.com/products/base-container-images/). This ensures that critical issues are resolved if BCI has provided the corresponding fixes.

In addition to updating host packages, if a corresponding security patch is provided, the dependencies will be updated to fix vulnerability issues in each Longhorn component.

SUSE Linux Enterprise Base Container Images (SLE BCI) provide truly open, flexible, and secure container images and application development tools. The images consist of container environments based on SUSE Linux Enterprise and are designed to be a secure base for any containerized workload.

• For the CVE issues found in Longhorn components in the current release, which have already been addressed in the corresponding libraries or packages, the fixes will be introduced in the next patch release.
• For the CVE issues found in upstream components, such as CSI sidecars, in the current release, the fixes will be introduced in a subsequent patch release only when the upstream fixes are available.