I am assuming that most if not all of those vulnerabilities are reported on packages that are installed in the Ubuntu base image, not Couchbase Server itself. In most cases those are not exploitable vulnerabilities because the container will not run any processes from those packages.
If you would like to improve the report, a couple ideas. First, check that you’ve locally pulled the latest ubuntu:16.04 base image before building your own image (run “docker pull ubuntu:16.04”). That will ensure that you have the latest security fixes from Ubuntu.
If that doesn’t reduce the number of reports to your liking, you could try modifying the Dockerfile to be based on Ubuntu 18.04. To do this, you would need to also change the ARG CB_PACKAGE line to refer to ubuntu18.04, as well as the ARG CB_SHA256 line to be c4951cdab01759020444e4648023721ae3a333257591252475d34d5fc6ac8857 . Finally, add the following line:
RUN cp -a /etc/runit/2 /usr/sbin/runsvdir-start
somewhere after the initial “RUN apt-get update…” command near the top of the file. I just tested with these changes and the image builds and runs successfully. Be aware this isn’t “supported” as we don’t run our Quality Assurance process on this configuration. But I presume that Ubuntu 18.04 will have fewer concerning security vulnerabilities to report.