Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update blueprint images dependencies to fix reported vulnerabilities #2523

Merged
merged 1 commit into from
Jan 10, 2024
Merged

Update blueprint images dependencies to fix reported vulnerabilities #2523

merged 1 commit into from
Jan 10, 2024

Conversation

hairyhum
Copy link
Contributor

@hairyhum hairyhum commented Dec 8, 2023
edited
Loading

Change Overview

Update base images for cassandra, kafka, mongodb and postgres
Build go libs in kanister-tools image to move them into blueprint images
Remove unused tools with vulnerabilities (e.g. npm packages in elasticsearch image)
Expand vulnerability report tool output to show more information

NOTE: these changes address some reports, while some base images still have vulnerabilities which would take too much effort to address.

Pull request type

Please check the type of change your PR introduces:

  • 🚧 Work in Progress
  • 🌈 Refactoring (no functional changes, no api changes)
  • 🐹 Trivial/Minor
  • 🐛 Bugfix
  • 🌻 Feature
  • 🗺️ Documentation
  • 🤖 Test

Issues

Test Plan

Build images:

docker buildx build --platform linux/amd64 . -f docker/tools/Dockerfile -t tools
docker buildx build --platform linux/amd64 . -f docker/cassandra/Dockerfile --build-arg=TOOLS_IMAGE=tools -t cassandra
docker buildx build --platform linux/amd64 . -f docker/kafka-adobes3Connector/image/adobeSink.Dockerfile -t kafka-sink
docker buildx build --platform linux/amd64 . -f docker/kafka-adobes3Connector/image/adobeSource.Dockerfile -t kafka-source
docker buildx build --platform linux/amd64 . -f docker/kanister-elasticsearch/image/Dockerfile --build-arg=TOOLS_IMAGE=tools -t elastic
docker buildx build --platform linux/amd64 . -f docker/mongodb/Dockerfile --build-arg=TOOLS_IMAGE=tools -t mongodb
docker buildx build --platform linux/amd64 . -f docker/postgres-kanister-tools/Dockerfile --build-arg=TOOLS_IMAGE=tools  -t postgres

Check them with grype (grype should be installed):

grype --only-fixed tools
grype --only-fixed cassandra
grype --only-fixed kafka-sink
grype --only-fixed kafka-source
grype --only-fixed elastic
grype --only-fixed mongodb
grype --only-fixed postgres

Images for cassandra and kafka would still have some vulnerabilities in the java packages.

  • 💪 Manual
  • ⚡ Unit test
  • 💚 E2E

@infraq infraq added this to In Progress in Kanister Dec 8, 2023
@hairyhum hairyhum changed the title Update bluepring images dependencies to fix reported vulnerabilities Update blueprint images dependencies to fix reported vulnerabilities Dec 11, 2023
@pavannd1 pavannd1 requested review from PrasadG193 and viveksinghggits and removed request for mellon-collie and ankitjain235 December 20, 2023 00:32
Kanister automation moved this from In Progress to Reviewer approved Jan 9, 2024
@pavannd1 pavannd1 added the kueue label Jan 9, 2024
@hairyhum
Update blueprint images dependencies to fix reported vulnerabilities
a0f4ccd 
Update base images
Build go libs in kanister-tools image
Remove unused tools with vulnerabilities

Expand vulnerability report tool output to show more information
@hairyhum hairyhum merged commit 90771b9 into master Jan 10, 2024
13 of 14 checks passed
Kanister automation moved this from Reviewer approved to Done Jan 10, 2024
@hairyhum hairyhum deleted the image-vulnerability-updates branch January 10, 2024 11:21
@viveksinghggits viveksinghggits mentioned this pull request Jan 10, 2024
Merged
10 tasks
@hairyhum hairyhum mentioned this pull request Feb 1, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pavannd1 pavannd1 pavannd1 approved these changes

@PrasadG193 PrasadG193 Awaiting requested review from PrasadG193

@viveksinghggits viveksinghggits Awaiting requested review from viveksinghggits

Assignees
No one assigned
Labels
kueue
Projects
Kanister
Done
Milestone
No milestone
2 participants
@hairyhum @pavannd1