[REQ] investigate wolfi based images

[sozercan]

What kind of request is this?

New feature

What is your request or suggestion?

investigate wolfi based images https://github.com/chainguard-images/images#chainguard-images

cgr.dev/chainguard/go:1.19.4 (fixable vulns in git, openssl, libcrypto)

cgr.dev/chainguard/cc-dynamic
cgr.dev/chainguard/static
...

will they be similar to distroless/debian or alpine?

[MiahaCybersec]

I've been looking into Wolfi based images and so far I've discovered the following:

• Wolfi-base utilizes the APK package manager, but the rest of the Wolfi images are completely distroless with no package manager
• As of March 2024, Chainguard restricts the public to only pulling the latest image which will clash with our tests which default to failing if there's nothing to patch; this makes debugging harder since we can't force pull outdated images to test patching
• Chainguard does daily builds for all of their images to ensure the latest packages are always used
• Chainguard strongly recommends utilizing an automatic update system such as Watchtower, and in such setups Copa could be considered redundant

Due to the above issues, would Wolfi be considered out of scope of the Copa project? Additional input on this issue would be appreciated.

[sozercan]

For the tests, we always pin to a digest and tag is used for human readability.

Re: distroless, this is not an issue for copa, copa supports patching distroless images.

For example, cgr.dev/chainguard/nginx:latest@sha256:81bed54c9e507503766c0f8f030f869705dae486f37c2a003bb5b12bcfcc713f has vulnerabilities.

Copa would still be valuable if there's an intermediate images built from the base image. Say, someone creates a new image from a wolfi-based image, and then another build depends on the previous image. Copa will allow users to take action directly, instead of waiting for the intermediate image to be updated or rebuilding it themselves.

I think this would be in scope for copa, but low priority, since we haven't heard any user ask for this.

[MiahaCybersec]

There's a little issue with supporting Wolfi images, but additional input would be appreciated here. Below is a direct quote from Chainguard themselves, hidden away in their docs:

Mixing packages with other distributions is not supported and can create security problems. Although both Wolfi and Alpine use the apk package manager, packages are not compatible with each other.

In another part of their docs:

Can I mix Alpine and Wolfi package repositories to create my melange build environment?
No, it’s not possible to mix Alpine apks with Wolfi apks. If you have unmet dependencies, you’ll need to build those first as separate packages.

I think the best approach here in the future if we were to add Wolfi support would be to add it as its own separate package manager in pkgmgr.go. Wolfi requires all APK packages to be built using melange so we'd effectively be required to scan a wolfi image, if there's any vulnerabilities it would need to generate a melange.yaml file and build it, and then inject them into the Wolfi container.

More information on melange can be found here.

[MiahaCybersec]

After investigation, the Copa team has decided that Wolfi support will not be added due to how complex the implementation would have to be. Docs will be updated to indicate this and the issue will be closed out 🙂