Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update blueprint images dependencies to fix reported vulnerabilities #2523

Merged
merged 1 commit into from
Jan 10, 2024

Conversation

hairyhum
Copy link
Contributor

@hairyhum hairyhum commented Dec 8, 2023

Change Overview

Update base images for cassandra, kafka, mongodb and postgres
Build go libs in kanister-tools image to move them into blueprint images
Remove unused tools with vulnerabilities (e.g. npm packages in elasticsearch image)
Expand vulnerability report tool output to show more information

NOTE: these changes address some reports, while some base images still have vulnerabilities which would take too much effort to address.

Pull request type

Please check the type of change your PR introduces:

  • 🚧 Work in Progress
  • 🌈 Refactoring (no functional changes, no api changes)
  • 🐹 Trivial/Minor
  • 🐛 Bugfix
  • 🌻 Feature
  • 🗺️ Documentation
  • 🤖 Test

Issues

Test Plan

Build images:

docker buildx build --platform linux/amd64 . -f docker/tools/Dockerfile -t tools
docker buildx build --platform linux/amd64 . -f docker/cassandra/Dockerfile --build-arg=TOOLS_IMAGE=tools -t cassandra
docker buildx build --platform linux/amd64 . -f docker/kafka-adobes3Connector/image/adobeSink.Dockerfile -t kafka-sink
docker buildx build --platform linux/amd64 . -f docker/kafka-adobes3Connector/image/adobeSource.Dockerfile -t kafka-source
docker buildx build --platform linux/amd64 . -f docker/kanister-elasticsearch/image/Dockerfile --build-arg=TOOLS_IMAGE=tools -t elastic
docker buildx build --platform linux/amd64 . -f docker/mongodb/Dockerfile --build-arg=TOOLS_IMAGE=tools -t mongodb
docker buildx build --platform linux/amd64 . -f docker/postgres-kanister-tools/Dockerfile --build-arg=TOOLS_IMAGE=tools  -t postgres

Check them with grype (grype should be installed):

grype --only-fixed tools
grype --only-fixed cassandra
grype --only-fixed kafka-sink
grype --only-fixed kafka-source
grype --only-fixed elastic
grype --only-fixed mongodb
grype --only-fixed postgres

Images for cassandra and kafka would still have some vulnerabilities in the java packages.

  • 💪 Manual
  • ⚡ Unit test
  • 💚 E2E

@hairyhum hairyhum requested a review from ankitjain235 December 8, 2023 21:23
@hairyhum hairyhum changed the title Update bluepring images dependencies to fix reported vulnerabilities Update blueprint images dependencies to fix reported vulnerabilities Dec 11, 2023
@hairyhum hairyhum force-pushed the image-vulnerability-updates branch from 8eab9ee to d2f3c33 Compare December 11, 2023 17:53
@pavannd1 pavannd1 requested review from PrasadG193 and viveksinghggits and removed request for mellon-collie and ankitjain235 December 20, 2023 00:32
@pavannd1 pavannd1 added the kueue label Jan 9, 2024
Update base images
Build go libs in kanister-tools image
Remove unused tools with vulnerabilities

Expand vulnerability report tool output to show more information
@hairyhum hairyhum force-pushed the image-vulnerability-updates branch from d2f3c33 to a0f4ccd Compare January 10, 2024 11:04
@hairyhum hairyhum merged commit 90771b9 into master Jan 10, 2024
13 of 14 checks passed
@hairyhum hairyhum deleted the image-vulnerability-updates branch January 10, 2024 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
2 participants