Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

images: Use Kubernetes debian-base:bullseye-v1.1.0 as base image #13546

Merged
merged 1 commit into from
Dec 21, 2021
Merged

images: Use Kubernetes debian-base:bullseye-v1.1.0 as base image #13546

merged 1 commit into from
Dec 21, 2021
+8 −8

Conversation

justaugustus
Copy link
Contributor

Follow-up to #13376, now that an updated debian-base image was promoted in kubernetes/release#2371.

Signed-off-by: Stephen Augustus foo@auggie.dev

cc: @hexfusion @mrueg

Previous scan against k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0:

docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0
2021-12-17T21:15:53.638Z	INFO	Need to update DB
2021-12-17T21:15:53.639Z	INFO	Downloading DB...
25.23 MiB / 25.23 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 12.94 MiB p/s 2s
2021-12-17T21:15:58.838Z	INFO	Detected OS: debian
2021-12-17T21:15:58.838Z	INFO	Detecting Debian vulnerabilities...
2021-12-17T21:15:58.851Z	INFO	Number of language-specific files: 0

k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0 (debian 11.0)
================================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 1)

+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                 TITLE                 |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
| libgssapi-krb5-2 | CVE-2021-37750   | MEDIUM   | 1.18.3-6          | 1.18.3-6+deb11u1 | krb5: NULL pointer dereference        |
|                  |                  |          |                   |                  | in process_tgs_req() in               |
|                  |                  |          |                   |                  | kdc/do_tgs_req.c via a FAST inner...  |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-37750 |
+------------------+                  +          +                   +                  +                                       +
| libk5crypto3     |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+                  +          +                   +                  +                                       +
| libkrb5-3        |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+                  +          +                   +                  +                                       +
| libkrb5support0  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
| libssl1.1        | CVE-2021-3711    | CRITICAL | 1.1.1k-1          | 1.1.1k-1+deb11u1 | openssl: SM2 Decryption               |
|                  |                  |          |                   |                  | Buffer Overflow                       |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3711  |
+                  +------------------+----------+                   +                  +---------------------------------------+
|                  | CVE-2021-3712    | HIGH     |                   |                  | openssl: Read buffer overruns         |
|                  |                  |          |                   |                  | processing ASN.1 strings              |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3712  |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+

New scan against k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0:

docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0
2021-12-17T21:17:21.382Z	INFO	Need to update DB
2021-12-17T21:17:21.382Z	INFO	Downloading DB...
25.23 MiB / 25.23 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 12.24 MiB p/s 2s
2021-12-17T21:17:26.077Z	INFO	Detected OS: debian
2021-12-17T21:17:26.077Z	INFO	Detecting Debian vulnerabilities...
2021-12-17T21:17:26.092Z	INFO	Number of language-specific files: 0

k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 (debian 11.1)
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

@justaugustus
images: Use Kubernetes debian-base:bullseye-v1.1.0 as base image
bbb187d 
Signed-off-by: Stephen Augustus <foo@auggie.dev>
hexfusion
hexfusion approved these changes Dec 17, 2021
View reviewed changes
Copy link
Contributor

@hexfusion hexfusion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@justaugustus
Copy link
Contributor Author

Note: Consider dedupe-ing the Dockerfiles by using docker buildx which can build for multi-arch

@justaugustus
Copy link
Contributor Author

thank you!

Happy to help, Sam! :)

This was referenced Dec 17, 2021
Merged
Merged
@ptabor ptabor merged commit 7ff2c77 into etcd-io:main Dec 21, 2021
@yank1
Copy link

yank1 commented Dec 23, 2021

HI @justaugustus ,
Is it a good idea for useing distroless image as the base image ?
like #13556

@serathius
Copy link
Member

+1 for distroless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hexfusion hexfusion hexfusion approved these changes

@ptabor ptabor ptabor approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@justaugustus @yank1 @serathius @hexfusion @ptabor