the recommended_tag warning that bubbles up into vs code is flawed

[willie]

I'm getting docker-language-server(recommended_tag) warnings for the latest LTS release and it's suggesting non LTS releases. I know LTS or not LTS isn't your problem, but it's an impediment to using the rest of the language server features.

[cas--]

I was puzzled by this squiggle for ubuntu 24.04

It was also not immediately clear what 0C 0H 2M 6L referred to, but can now see it means 2 Medium and 6 Low vulnerabilities as listed on Ubuntu CVES, but it seems improbable that the two latest Ubuntu releases have zero vulnerabilities. I suspect that the lack of any listing for non-LTS on Ubuntu CVES (as used by docker scout) is returning no CVE issues.

Probably could improve on this recommendation to choose level of severity to warn about e.g. High or greater.

For now I will have to turn off this feature in settings: docker.lsp.experimental.vulnerabilityScanning

[rcjsuen]

@cdupuis Could you share your thoughts on how best to approach this?

[cdupuis]

The missing CVEs on ubuntu:25.04 and ubuntu:24.10 are fixed now:

[willie]

I think that proves that it is a broken recommendation because the number of vulnerabilities in the "recommended" images are higher. And, still LTS.

[rcjsuen]

@willie I reproduced your concern about LTS vs unstable from the command line so I opened https://github.com/docker/scout-cli-plugin/issues/700.

[willie]

@rcjsuen Thanks! I would subscribe to that issue, but I don't have access to that repo.

[rcjsuen]

Thanks! I would subscribe to that issue, but I don't have access to that repo.

Sorry about that and thanks for catching that. I forgot about that little detail. I opened docker/scout-cli#187 which is a public GitHub repository. 👍