As same as Fluentd's security policy
See Supported Versions in Fluentd
If you find a vulnerability of docker.io/fluent/fluentd:SOMETHING with the default configuration, report it from the following page:
Important
fluentd-docker-image images are downstream of ruby or alpine container. Thus, even though security scanner reports a pile of vulnerabilities, the updated container image can't be shipped until updated container image is deployed from upstream first.
-
If you find that bundled Ruby gems related to fluentd-daemonset-SOMETHING have vulnerabilities, please report to fluentd-kubernetes-daemonset.
-
The vulnerability of non-Ruby gems should be fixed in upstream container image, so PLEASE check https://security-tracker.debian.org/tracker/ in advance.
Note
In most cases, even though security scanner reports vulnerabilities, they are false-positive because fluentd doesn't use the vulnerable component.