I feel that reporting about each separate false positive is crazy. Is there a way to clean it up efficiently?



There was a similar discussion in https://github.com/docker-library/official-images/issues/2844.
Not sure what nginx as an image builder could do about it.
Can the alpine images be rebuilt using alpine:3.6 which now has no vulnerabilities https://hub.docker.com/r/library/alpine/tags/
alpine:3.6 is old news... alpine:3.7 is the latest (for now), would be good to rebuild the image off whatever alpine is latest that day
This is a bit of a big deal - nginx's official images are being built off of incredibly out of date images that are full of vulnerabilities.

@mmmeff the packages mentioned (e.g. glibc/libc6) are the current debian9 versions, what makes you think the images are "incredibly out of date" ?
They aren't out of date. These vulns aren't fixed in the upstreams yet.
See https://security-tracker.debian.org/tracker/CVE-2017-16997 for one.
for nginx:1.15-alpine it has dropped down to only libxml2 2.9.8-r0 and libpng 1.6.34-r1 having reported vulnerabilities.
Note: This reports are likely false positives. Some security fixes are backported without changing the version number (e.g. https://git.alpinelinux.org/aports/commit/?id=9ba0323ae03ecb1319c9174e281260c37544fa1d).
However, the version numbers have changed in Alpine 3.9, so #306 should fix this.
Most helpful comment
for
nginx:1.15-alpineit has dropped down to onlylibxml2 2.9.8-r0andlibpng 1.6.34-r1having reported vulnerabilities.