Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ move to cgr base image #4113

Merged
merged 1 commit into from
Jun 14, 2024
Merged

✨ move to cgr base image #4113

merged 1 commit into from
Jun 14, 2024

Conversation

naveensrinivasan
Copy link
Member

@naveensrinivasan naveensrinivasan commented May 18, 2024

  • Move the static cgr.dev base image as it has less foot print and zero vuln.

cgr.dev

➜  scorecard git:(main) ✗ grype docker.io/library/scorecard
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                    index.docker.io/library/scorecard:latest
 ✔ Parsed image                                                                     sha256:9dc0b3a5edf538cc6e7cb559a037a4076ac68f1fca0010049da9f6111addd339
 ✔ Cataloged contents                                                                      4e28f40763377e1ffe75bfd4400e924ef62cf04db7b5b136338a932569afa3c8
   ├── ✔ Packages                        [121 packages]
   ├── ✔ File digests                    [397 files]
   ├── ✔ File metadata                   [397 locations]
   └── ✔ Executables                     [1 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

distroless

➜  scorecard git:(main) grype 53597ab312e4
 ✔ Vulnerability DB                [no update available]
 ✔ Loaded image                                                                                                                                53597ab312e4
 ✔ Parsed image                                                                     sha256:53597ab312e4cfc07ed88464de08d020ad23eed32f6b32c8ec3e04449fd67780
 ✔ Cataloged contents                                                                      cf00f3cc9f38cc71a23039d27febd8b68b0aba92a152d8c48f66f9b0f5263065
   ├── ✔ Packages                        [121 packages]
   ├── ✔ File digests                    [1,227 files]
   ├── ✔ File metadata                   [1,227 locations]
   └── ✔ Executables                     [279 executables]
 ✔ Scanned for vulnerabilities     [15 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 3 medium, 0 low, 9 negligible (3 unknown)
   └── by status:   0 fixed, 15 not-fixed, 0 ignored
NAME     INSTALLED         FIXED-IN     TYPE  VULNERABILITY     SEVERITY
libc6    2.36-9+deb12u7                 deb   CVE-2019-9192     Negligible
libc6    2.36-9+deb12u7                 deb   CVE-2019-1010025  Negligible
libc6    2.36-9+deb12u7                 deb   CVE-2019-1010024  Negligible
libc6    2.36-9+deb12u7                 deb   CVE-2019-1010023  Negligible
libc6    2.36-9+deb12u7                 deb   CVE-2019-1010022  Negligible
libc6    2.36-9+deb12u7                 deb   CVE-2018-20796    Negligible
libc6    2.36-9+deb12u7                 deb   CVE-2010-4756     Negligible
libssl3  3.0.11-1~deb12u2  (won't fix)  deb   CVE-2024-0727     Medium
libssl3  3.0.11-1~deb12u2  (won't fix)  deb   CVE-2023-6129     Medium
libssl3  3.0.11-1~deb12u2  (won't fix)  deb   CVE-2023-5678     Medium
libssl3  3.0.11-1~deb12u2               deb   CVE-2010-0928     Negligible
libssl3  3.0.11-1~deb12u2               deb   CVE-2007-6755     Negligible
libssl3  3.0.11-1~deb12u2  (won't fix)  deb   CVE-2024-4603     Unknown
libssl3  3.0.11-1~deb12u2  (won't fix)  deb   CVE-2024-2511     Unknown
libssl3  3.0.11-1~deb12u2  (won't fix)  deb   CVE-2023-6237     Unknown

What kind of change does this PR introduce?

(Is it a bug fix, feature, docs update, something else?)

What is the current behavior?

What is the new behavior (if this is a feature change)?**

  • Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)


@naveensrinivasan naveensrinivasan requested a review from a team as a code owner May 18, 2024 19:15
@naveensrinivasan naveensrinivasan requested review from justaugustus and spencerschrock and removed request for a team May 18, 2024 19:15
Copy link
Member

@justaugustus justaugustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@justaugustus justaugustus enabled auto-merge (squash) May 18, 2024 21:03
@spencerschrock
Copy link
Member

Just FYI this was discussed in the past. Linking for historical context I think this falls under the "if a majority of maintainers want to" part of Azeem's comment.
#2593 (review) and #2593 (comment)

@naveensrinivasan — Nice! Would you mind making similar changes for our other projects? e.g., https://github.com/ossf/scorecard-action/blob/c64f0a7231aa68a6849c2b65bf16af3daa23d3e6/Dockerfile#L38

I dont think we can do it for scorecard-action, #2593 (comment)

@naveensrinivasan
Copy link
Member Author

Just FYI this was discussed in the past. Linking for historical context I think this falls under the "if a majority of maintainers want to" part of Azeem's comment. #2593 (review) and #2593 (comment)

@naveensrinivasan — Nice! Would you mind making similar changes for our other projects? e.g., https://github.com/ossf/scorecard-action/blob/c64f0a7231aa68a6849c2b65bf16af3daa23d3e6/Dockerfile#L38

I dont think we can do it for scorecard-action, #2593 (comment)

@spencerschrock Do you have concerns about merging it?

@spencerschrock
Copy link
Member

spencerschrock commented May 24, 2024

@spencerschrock Do you have concerns about merging it?

My only blocking concern would be to not do this for Scorecard Action due to lack of root, but this PR doesn't touch that.

Changing from distroless:base to either cgr:static or distroless:static does reduce the size of the docker images in both cases by 33%. I don't think the vulns in distroless:base are relevant as we statically compile and don't need libc or libssl, and switching to distroless:static would take care of those too.

From a "change as few things as needed" perspective, I have a slight preference to distroless:static if we're going to change, but happy to try either.

Copy link

github-actions bot commented Jun 4, 2024

This pull request has been marked stale because it has been open for 10 days with no activity

@github-actions github-actions bot added the Stale label Jun 4, 2024
- Move the static cgr.dev base image as it has less foot print and zero
  vuln.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
@justaugustus justaugustus merged commit c7821b6 into main Jun 14, 2024
36 checks passed
@justaugustus justaugustus deleted the naveen/feat/cgr-static branch June 14, 2024 16:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

3 participants