Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update images to address CVEs 24.01.23 #109

Closed
i-chvets opened this issue Jan 24, 2023 · 7 comments
Closed

Update images to address CVEs 24.01.23 #109

i-chvets opened this issue Jan 24, 2023 · 7 comments
Assignees
@i-chvets
Labels
bug Something isn't working

Comments

@i-chvets
Copy link
Contributor

i-chvets commented Jan 24, 2023
edited

Address CVEs 24.0.1.23

Initial CVE scans report

All images rebuilt in current state as of 24.01.23

CRITICAL=39 HIGH=188 MEDIUM=573 LOW=34
Excluding builder images
CRITICAL=11 HIGH=97 MEDIUM=496 LOW=16

Initial detailed report per image

IMAGE BASE CRITICAL HIGH MEDIUM LOW
notebook-controller:v1.6.1 debian:11.6 0 6 2 0
jupyter-web-app:v1.6.1 debian:10.13 1 1 0 0
jupyter-tensorflow-cuda-full:v1.6.1 ubuntu:20.04 2 38 149 4
jupyter-tensorflow-full:v1.6.1 ubuntu:20.04 0 6 98 4
jupyter-tensorflow-cuda:v1.6.1 ubuntu:20.04 2 38 149 4
jupyter-tensorflow:v1.6.1 ubuntu:20.04 0 6 98 4
jupyter-pytorch-cuda-full:v1.6.1 ubuntu:20.04 1 0 0 0
jupyter-pytorch-full:v1.6.1 ubuntu:20.04 1 0 0 0
jupyter-pytorch-cuda:v1.6.1 ubuntu:20.04 1 0 0 0
jupyter-pytorch:v1.6.1 ubuntu:20.04 1 0 0 0
jupyter-scipy:v1.6.1 ubuntu:20.04 1 1 0 0
jupyter:v1.6.1 ubuntu:20.04 0 0 0 0
base:v1.6.1 ubuntu:20.04 0 0 0 0
gcr.io/distroless/base:debug (base) debian:11.6 0 0 0 0
ubuntu:20.04 (base) ubuntu:20.04 0 0 0 0
python:3.7-slim-buster (builder/base) debian:10.13 1 1 0 0
golang:1.17 (builder) debian:11.4 15 70 66 13
node:12-buster-slim (builder) debian:10.12 13 21 11 5
Totals: 39 188 573 34

Implementation details

  • Some images that included in scans are used to build the component. The packaging is done using base image which might be different.
  • v1.17 vs v1.19 changes caused problem in go mod download command:
    If the main module's go.mod file specifies go 1.17 or higher, go mod download without arguments now downloads source code for only the modules explicitly required in the main module's go.mod file. (In a go 1.17 or higher module, that set already includes all dependencies needed to build the packages and tests in the main module.) To also download source code for transitive dependencies, use go mod download all.
    Had to change to go mod download all to build container properly.

Testing

Integration testing needs to pass after any updates.
@i-chvets i-chvets self-assigned this Jan 24, 2023
@i-chvets i-chvets added the bug Something isn't working label Jan 24, 2023
@i-chvets i-chvets changed the title Update images to address CVEs Update images to address CVEs 23.01.23 Jan 25, 2023
@i-chvets i-chvets changed the title Update images to address CVEs 23.01.23 Update images to address CVEs 24.01.23 Jan 25, 2023
@i-chvets
Copy link
Contributor Author

Trivy report as 24.01.23.
trivy-reports.zip

i-chvets pushed a commit that referenced this issue Jan 25, 2023
fix: update kubeflow image definitions
fa841ec 
#109

Summary of changes:
- Updated image definitions in kubeflow/ to resolve some CVEs
i-chvets pushed a commit that referenced this issue Jan 25, 2023
fix: update kubeflow image definitions
5fddadc 
#109

Summary of changes:
- Updated Dockerfile for jupyter-pytorch.
@i-chvets
Copy link
Contributor Author

i-chvets commented Jan 25, 2023
edited

Applied suggested fixes.

Detailer report per image
Tag: v1.6.1
Date: 2023.1.25
CVEs per image:

IMAGE BASE CRITICAL HIGH MEDIUM LOW
notebook-controller:v1.6.1 debian:11.6 0 6 2 0
jupyter-web-app:v1.6.1 debian:11.6 0 1 0 0
jupyter-tensorflow-cuda-full:v1.6.1 ubuntu:20.04 0 0 0 4
jupyter-tensorflow-full:v1.6.1 ubuntu:20.04 0 6 98 8
jupyter-tensorflow-cuda:v1.6.1 ubuntu:20.04 0 0 0 4
jupyter-tensorflow:v1.6.1 ubuntu:20.04 0 6 98 8
jupyter-pytorch-cuda-full:v1.6.1 ubuntu:20.04 1 0 0 4
jupyter-pytorch-full:v1.6.1 ubuntu:20.04 1 0 0 4
jupyter-pytorch-cuda:v1.6.1 ubuntu:20.04 1 0 0 4
jupyter-pytorch:v1.6.1 ubuntu:20.04 1 0 0 4
jupyter-scipy:v1.6.1 ubuntu:20.04 0 1 0 4
jupyter:v1.6.1 ubuntu:20.04 0 0 0 4
base:v1.6.1 ubuntu:20.04 0 0 0 4
gcr.io/distroless/base:debug (base) debian:11.6 0 0 0 0
ubuntu:20.04 (base) ubuntu:20.04 0 0 0 4
python:3.7-slim-bullseye (base) debian:11.6 0 1 0 0
python:3.7-slim-buster (builder) debian:10.13 1 1 0 0
golang:1.19 (builder) debian:11.6 0 5 6 0
node:12-buster-slim (builder) debian:10.12 13 21 11 5
Totals: 18 48 215 61

@i-chvets
Copy link
Contributor Author

Trivy reports as of 25.01.23
trivy-reports.zip

@i-chvets
Copy link
Contributor Author

i-chvets commented Jan 25, 2023
edited

Updated selected images are published https://hub.docker.com/repositories/charmedkubeflow

@i-chvets
Copy link
Contributor Author

i-chvets commented Jan 25, 2023
edited

1 (one) unfixed Critical CVE-2022-45907 in jupyter-pytorch:v1.6.1 related to AMD GPU support. It is fixable by updating the library. Could not find the way to do it properly in this case.

{
      "Target": "Python",
      "Class": "lang-pkgs",
      "Type": "python-pkg",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2022-45907",
          "PkgName": "torch",
          "PkgPath": "opt/conda/lib/python3.8/site-packages/torch-1.8.1+rocm4.0.1.dist-info/METADATA",
          "InstalledVersion": "1.8.1+rocm4.0.1",
          "FixedVersion": "1.13.1",
          "Layer": {
            "DiffID": "sha256:b43bfa2263ce2aca198dd2d5e2fbef7d373f12004eb7116b230bd424773c8e9f"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-45907",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...",
          "Description": "In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.",
          "Severity": "CRITICAL",
          "CweIDs": [
            "CWE-77"
          ],
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            }
          },
          "References": [
            "https://github.com/advisories/GHSA-47fc-vmwq-366v",
            "https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3",
            "https://github.com/pytorch/pytorch/issues/88868",
            "https://github.com/pytorch/pytorch/issues/89855",
            "https://github.com/pytorch/pytorch/pull/89189",
            "https://github.com/pytorch/pytorch/releases/tag/v1.13.1",
            "https://nvd.nist.gov/vuln/detail/CVE-2022-45907"
          ],
          "PublishedDate": "2022-11-26T02:15:00Z",
          "LastModifiedDate": "2022-11-28T19:25:00Z"
        }
      ]
    }

@i-chvets
Copy link
Contributor Author

Integration tests with updated containers:

charms/jupyter-controller/metadata.yaml
   oci-image:
     type: oci-image
     description: 'Backing OCI image'
-    upstream-source: docker.io/kubeflownotebookswg/notebook-controller:v1.6.1
+    upstream-source: registry.hub.docker.com/charmedkubeflow/notebook-controller:v1.6.1
 deployment:
   type: stateless
   service: omit

charms/jupyter-ui/metadata.yaml
   oci-image:
     type: oci-image
     description: 'Backing OCI image'
-    upstream-source: docker.io/kubeflownotebookswg/jupyter-web-app:v1.6.1
+    upstream-source: registry.hub.docker.com/charmedkubeflow/jupyter-web-app:v1.6.1
 requires:
   ingress:
     interface: ingress

============================================ test session starts =============================================
platform linux -- Python 3.8.16, pytest-7.2.0, pluggy-1.0.0 -- /home/ichvets/cw/dev/notebook-operators/.tox/integration/bin/python
cachedir: .tox/integration/.pytest_cache
rootdir: /home/ichvets/cw/dev/notebook-operators
plugins: operator-0.22.0, anyio-3.6.2, asyncio-0.20.3
asyncio: mode=auto
collecting ... collected 3 items

tests/test_charms.py::test_build_and_deploy 
----------------------------------------------- live log setup -----------------------------------------------
INFO     pytest_operator.plugin:plugin.py:653 Connecting to existing model uk8s:kubeflow on unspecified cloud
----------------------------------------------- live log call ------------------------------------------------
INFO     pytest_operator.plugin:plugin.py:504 Using tmp_path: /home/ichvets/cw/dev/notebook-operators/.tox/integration/tmp/pytest/kubeflow0
INFO     pytest_operator.plugin:plugin.py:948 Building charm jupyter-controller
INFO     pytest_operator.plugin:plugin.py:953 Built charm jupyter-controller in 14.27s
INFO     pytest_operator.plugin:plugin.py:504 Using tmp_path: /home/ichvets/cw/dev/notebook-operators/.tox/integration/tmp/pytest/kubeflow0
INFO     pytest_operator.plugin:plugin.py:948 Building charm jupyter-ui
INFO     pytest_operator.plugin:plugin.py:953 Built charm jupyter-ui in 17.85s
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/istio-pilot-251
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/istio-gateway-239
INFO     juju.model:model.py:2715 Waiting for model:
  istio-pilot/0 [allocating] waiting: installing agent
  istio-ingressgateway/0 [allocating] waiting: installing agent
INFO     juju.model:model.py:2715 Waiting for model:
  istio-pilot/0 [allocating] waiting: agent initializing
  istio-ingressgateway/0 [allocating] waiting: agent initializing
INFO     juju.model:model.py:2715 Waiting for model:
  istio-pilot/0 [idle] active: 
  istio-ingressgateway/0 [idle] active: 
INFO     juju.model:model.py:2088 Deploying local:focal/jupyter-ui-0
INFO     juju.model:model.py:2715 Waiting for model:
  jupyter-ui/0 [allocating] waiting: installing agent
INFO     juju.model:model.py:2715 Waiting for model:
  jupyter-ui/0 [executing] active: 
INFO     juju.model:model.py:2088 Deploying local:kubernetes/jupyter-controller-0
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/admission-webhook-80
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/kubeflow-profiles-94
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/kubeflow-dashboard-205
INFO     juju.model:model.py:2715 Waiting for model:
  istio-pilot/0 [idle] active: 
  istio-ingressgateway/0 [idle] active: 
  jupyter-ui/0 [idle] active: 
  jupyter-controller/0 [allocating] waiting: installing agent
  admission-webhook/0 [allocating] waiting: installing agent
  kubeflow-profiles/0 [allocating] waiting: installing agent
  kubeflow-dashboard/0 [allocating] waiting: installing agent
INFO     juju.model:model.py:2715 Waiting for model:
  jupyter-controller/0 [executing] active: 
  admission-webhook/0 [executing] maintenance: installing charm software
  kubeflow-profiles/0 [allocating] waiting: agent initializing
  kubeflow-dashboard/0 [allocating] waiting: agent initializing
INFO     juju.model:model.py:2715 Waiting for model:
  kubeflow-profiles/0 [idle] active: 
  kubeflow-dashboard/0 [idle] active: 
PASSED
tests/test_charms.py::test_prometheus_grafana_integration 
----------------------------------------------- live log call ------------------------------------------------
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/prometheus-k8s-101
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/grafana-k8s-63
INFO     juju.model:model.py:2088 Deploying ch:amd64/focal/prometheus-scrape-config-k8s-39
INFO     juju.model:model.py:2715 Waiting for model:
  istio-pilot/0 [idle] active: 
  istio-ingressgateway/0 [idle] active: 
  jupyter-ui/0 [idle] active: 
  jupyter-controller/0 [executing] active: 
  admission-webhook/0 [idle] active: 
  kubeflow-profiles/0 [idle] active: 
  kubeflow-dashboard/0 [idle] active: 
  prometheus-k8s/0 [allocating] waiting: agent initializing
  grafana-k8s/0 [allocating] waiting: installing agent
  prometheus-scrape-config-k8s/0 [allocating] waiting: installing agent
INFO     juju.model:model.py:2715 Waiting for model:
  jupyter-controller/0 [idle] active: 
  prometheus-k8s/0 [idle] waiting: Waiting for resource limit patch to apply
  grafana-k8s/0 [allocating] waiting: agent initializing
  prometheus-scrape-config-k8s/0 [executing] active: 
INFO     juju.model:model.py:2715 Waiting for model:
  jupyter-controller/0 [idle] active: 
  prometheus-k8s/0 [idle] active: 
  grafana-k8s/0 [idle] unknown: 
INFO     juju.model:model.py:2715 Waiting for model:
  grafana-k8s/0 [idle] unknown: 
INFO     juju.model:model.py:2715 Waiting for model:
  grafana-k8s/0 [executing] maintenance: 
INFO     juju.model:model.py:2715 Waiting for model:
  grafana-k8s/0 [executing] active: 
INFO     test_charms:test_charms.py:303 Prometheus available at http://10.1.59.90:9090
INFO     test_charms:test_charms.py:306 Testing prometheus deployment (attempt 1)
INFO     test_charms:test_charms.py:316 Response status is success
PASSED
--------------------------------------------- live log teardown ----------------------------------------------
INFO     pytest_operator.plugin:plugin.py:768 Model status:

Model     Controller  Cloud/Region        Version  SLA          Timestamp
kubeflow  uk8s        microk8s/localhost  2.9.34   unsupported  20:11:13-05:00

App                           Version                         Status  Scale  Charm                         Channel   Rev  Address         Exposed  Message
admission-webhook             res:oci-image@129fe92           active      1  admission-webhook             edge       80  10.152.183.199  no       
grafana-k8s                   9.2.1                           active      1  grafana-k8s                   edge       63  10.152.183.82   no       
istio-ingressgateway                                          active      1  istio-gateway                 edge      239  10.152.183.3    no       
istio-pilot                                                   active      1  istio-pilot                   edge      251  10.152.183.81   no       
jupyter-controller            .../notebook-controller:v1.6.1  active      1  jupyter-controller                        0                  no       
jupyter-ui                                                    active      1  jupyter-ui                                0  10.152.183.219  no       
kubeflow-dashboard                                            active      1  kubeflow-dashboard            edge      205  10.152.183.163  no       
kubeflow-profiles             res:profile-image@cfd6935       active      1  kubeflow-profiles             1.6/edge   94  10.152.183.70   no       
prometheus-k8s                2.33.5                          active      1  prometheus-k8s                edge      101  10.152.183.38   no       
prometheus-scrape-config-k8s  n/a                             active      1  prometheus-scrape-config-k8s  beta       39  10.152.183.5    no       

Unit                             Workload  Agent  Address     Ports              Message
admission-webhook/0*             active    idle   10.1.59.85  4443/TCP           
grafana-k8s/0*                   active    idle   10.1.59.91                     
istio-ingressgateway/0*          active    idle   10.1.59.76                     
istio-pilot/0*                   active    idle   10.1.59.75                     
jupyter-controller/0*            active    idle   10.1.59.84                     
jupyter-ui/0*                    active    idle   10.1.59.79                     
kubeflow-dashboard/0*            active    idle   10.1.59.83                     
kubeflow-profiles/0*             active    idle   10.1.59.86  8080/TCP,8081/TCP  
prometheus-k8s/0*                active    idle   10.1.59.90                     
prometheus-scrape-config-k8s/0*  active    idle   10.1.59.89                     

INFO     pytest_operator.plugin:plugin.py:774 Juju error logs:
INFO     pytest_operator.plugin:plugin.py:839 Forgetting main...

================================== 2 passed in 472.61s (0:07:52) ==================================
  integration: OK (473.22=setup[0.04]+cmd[473.19] seconds)
  congratulations :) (473.27 seconds)

i-chvets pushed a commit that referenced this issue Jan 26, 2023
fix: limited list of publishable images
824f176 
#109

Summary of changes:
- Added a list of container images to be published. Not all are required
  to be in dockerhub.
i-chvets pushed a commit that referenced this issue Jan 26, 2023
fix: updated oci images
a6b113a 
#109

Summary of changes:
- Updated OCI images to point to re-built images in dockerhub.
- Updated publish.sh to publish only limited list of images.
@i-chvets i-chvets mentioned this issue Jan 26, 2023
Merged
@i-chvets
Copy link
Contributor Author

First iteration is complete. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@i-chvets i-chvets

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@i-chvets