Google Cloud Data Fusion/CDAP - which Dockerfile to update to fix vulnerabilities related to version of libraries

Question

We are using Google Cloud Data Fusion's open source CDAP image from gcr gcr.io/cdapio/cdap:6.10.0 OR gcr.io/cdapio/cdap:6.9.1

Upon scanning the image with Sysdig or BlackDuck or any other vulnerability scanning tool there are several critical and High vulnerabilities identified. Mostly, able to be solved by version bump of libraries e.g. git, java1.8, (screenshot below)

I can see the source code repos cdapio/cdap-build and cdapio/cdap but not sure where and which Dockerfile to start modifying the library versions

there is one in cdapio/cdap-build https://github.com/cdapio/cdap-build/blob/develop/Dockerfile

there is one in cdapio/cdap/distributions https://github.com/cdapio/cdap/blob/develop/cdap-distributions/src/Dockerfile

I don't mind check-out of src code and modifying pom.xml. to bump libraries versions but need some guidance where to start from. There are submodules called within these cdapio/build and cdapio/cdap repos, example: cdap-ui, cdap-security-spi etc so not exactly sure where to start making changes.

Need help please, can someone direct me to right path or refer a document about building cdap image from source code

thanks

I'm expecting an answer about where is the Dockerfile to build cdap image from source code. This way I can start looking and modifying the versions of libraries and build the new CDAP image.