Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: update Python base images to newer versions #1480

Merged
merged 1 commit into from
Nov 18, 2024
Merged

chore: update Python base images to newer versions #1480

merged 1 commit into from
Nov 18, 2024

Conversation

andrewjamesbrown
Copy link
Contributor

grype lists several outstanding vulnerabilities on the base image, this PR fixes the majority of them:

Previous images:

% grype registry:public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-python:3.9.14-al2
 ✔ Parsed image                                                                                     sha256:8b70be76542bf426d7e8cf7123913b6e19ab2bd36017bf7ba870cd6dacf5f544
 ✔ Cataloged contents                                                                                      aeaf72f5fdd0f1945b267ff76c5993f8524f78a00fed837b7ef5290780edc7ab
   ├── ✔ Packages                        [35 packages]
   ├── ✔ File digests                    [1,735 files]
   ├── ✔ File metadata                   [1,735 locations]
   └── ✔ Executables                     [430 executables]
 ✔ Scanned for vulnerabilities     [18 vulnerability matches]
   ├── by severity: 1 critical, 10 high, 5 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   17 fixed, 1 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN                                             TYPE    VULNERABILITY   SEVERITY
python  3.9.14     3.10.9, 3.7.16, 3.8.16, 3.9.16                       binary  CVE-2022-37454  Critical
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-7592   High
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-6232   High
python  3.9.14     3.10.15, 3.11.10, 3.12.4, 3.13.0a6, 3.8.20, 3.9.20   binary  CVE-2024-4032   High
python  3.9.14     3.10.14, 3.11.9, 3.12.3, 3.13.0a5, 3.8.20, 3.9.20    binary  CVE-2024-0397   High
python  3.9.14     3.10.14, 3.11.9, 3.12.3, 3.8.19, 3.9.19              binary  CVE-2023-6597   High
python  3.9.14                                                          binary  CVE-2023-36632  High
python  3.9.14     3.10.12, 3.11.4, 3.7.17, 3.8.17, 3.9.17              binary  CVE-2023-24329  High
python  3.9.14     3.10.9, 3.11.1, 3.12.0a3, 3.7.16, 3.8.16, 3.9.16     binary  CVE-2022-45061  High
python  3.9.14     3.10.9, 3.9.16                                       binary  CVE-2022-42919  High
python  3.9.14     3.10.8                                               binary  CVE-2015-20107  High
python  3.9.14     3.10.15, 3.11.10, 3.12.5, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-6923   Medium
python  3.9.14     3.10.14, 3.11.9, 3.12.3, 3.8.19, 3.9.19              binary  CVE-2024-0450   Medium
python  3.9.14     3.10.13, 3.11.5, 3.8.18, 3.9.18                      binary  CVE-2023-40217  Medium
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0a1, 3.8.20, 3.9.20   binary  CVE-2023-27043  Medium
python  3.9.14     3.10.12, 3.11.4, 3.6.16, 3.8.17, 3.9.17              binary  CVE-2007-4559   Medium
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-8088   Unknown
python  3.9.14     3.10.0b1                                             binary  CVE-2024-5642   Unknown

% grype public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-python-builder:3.9-al2
 ✔ Parsed image                                                                                     sha256:36fb27a29a3204fd36048e36f2584be610fa592f6055e13606e2b0f020c4f49d
 ✔ Cataloged contents                                                                                      584f58add600139bad4f19e58f8b6630e9e206ffe7d872414638f3cac59d10a5
   ├── ✔ Packages                        [165 packages]
   ├── ✔ File digests                    [6,398 files]
   ├── ✔ File metadata                   [6,398 locations]
   └── ✔ Executables                     [1,181 executables]
 ✔ Scanned for vulnerabilities     [18 vulnerability matches]
   ├── by severity: 1 critical, 10 high, 5 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   17 fixed, 1 not-fixed, 0 ignored
NAME    INSTALLED  FIXED-IN                                             TYPE    VULNERABILITY   SEVERITY
python  3.9.14     3.10.9, 3.7.16, 3.8.16, 3.9.16                       binary  CVE-2022-37454  Critical
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-7592   High
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-6232   High
python  3.9.14     3.10.15, 3.11.10, 3.12.4, 3.13.0a6, 3.8.20, 3.9.20   binary  CVE-2024-4032   High
python  3.9.14     3.10.14, 3.11.9, 3.12.3, 3.13.0a5, 3.8.20, 3.9.20    binary  CVE-2024-0397   High
python  3.9.14     3.10.14, 3.11.9, 3.12.3, 3.8.19, 3.9.19              binary  CVE-2023-6597   High
python  3.9.14                                                          binary  CVE-2023-36632  High
python  3.9.14     3.10.12, 3.11.4, 3.7.17, 3.8.17, 3.9.17              binary  CVE-2023-24329  High
python  3.9.14     3.10.9, 3.11.1, 3.12.0a3, 3.7.16, 3.8.16, 3.9.16     binary  CVE-2022-45061  High
python  3.9.14     3.10.9, 3.9.16                                       binary  CVE-2022-42919  High
python  3.9.14     3.10.8                                               binary  CVE-2015-20107  High
python  3.9.14     3.10.15, 3.11.10, 3.12.5, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-6923   Medium
python  3.9.14     3.10.14, 3.11.9, 3.12.3, 3.8.19, 3.9.19              binary  CVE-2024-0450   Medium
python  3.9.14     3.10.13, 3.11.5, 3.8.18, 3.9.18                      binary  CVE-2023-40217  Medium
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0a1, 3.8.20, 3.9.20   binary  CVE-2023-27043  Medium
python  3.9.14     3.10.12, 3.11.4, 3.6.16, 3.8.17, 3.9.17              binary  CVE-2007-4559   Medium
python  3.9.14     3.10.15, 3.11.10, 3.12.6, 3.13.0rc2, 3.8.20, 3.9.20  binary  CVE-2024-8088   Unknown
python  3.9.14     3.10.0b1                                             binary  CVE-2024-5642   Unknown

New images:

% grype registry:public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-python:3.9.16-al23
 ✔ Parsed image                                                                                     sha256:e7f94b033cf5c677fe2dda30b4b6a49026052dde28e93afb035d8311c406cf5f
 ✔ Cataloged contents                                                                                      6f6ca23710e79f493ab14b49119873ca88b932c6d3b753005d5e3ea5d7f8f18c
   ├── ✔ Packages                        [42 packages]
   ├── ✔ File digests                    [3,406 files]
   ├── ✔ File metadata                   [3,406 locations]
   └── ✔ Executables                     [161 executables]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored
No vulnerabilities found

% grype public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-python-builder:3.9.16-al23
 ✔ Parsed image                                                                                     sha256:0dda66e78f4bee954b1f6d261f448076888fb62e86b224d5fa74f89b6b0fce32
 ✔ Cataloged contents                                                                                      a3481a7bb6a135b81a8d36d5d6b25ae204b5e675d8bc0214cb5751d653182d4c
   ├── ✔ Packages                        [182 packages]
   ├── ✔ File digests                    [6,797 files]
   ├── ✔ File metadata                   [6,797 locations]
   └── ✔ Executables                     [608 executables]
 ✔ Scanned for vulnerabilities     [6 vulnerability matches]
   ├── by severity: 0 critical, 2 high, 4 medium, 0 low, 0 negligible
   └── by status:   6 fixed, 0 not-fixed, 0 ignored
NAME               INSTALLED                FIXED-IN               TYPE    VULNERABILITY        SEVERITY
libgcrypt          1.10.2-1.amzn2023.0.1    1.10.2-1.amzn2023.0.2  rpm     ALAS-2024-736        Medium
openssl-libs       1:3.0.8-1.amzn2023.0.14  3.0.8-1.amzn2023.0.16  rpm     ALAS-2024-727        Medium
openssl-libs       1:3.0.8-1.amzn2023.0.14  3.0.8-1.amzn2023.0.15  rpm     ALAS-2024-721        Medium
python3-pip-wheel  21.3.1-2.amzn2023.0.7    21.3.1-2.amzn2023.0.8  rpm     ALAS-2024-730        Medium
setuptools         59.6.0                   65.5.1                 python  GHSA-r9hx-vwmv-q579  High
setuptools         59.6.0                   70.0.0                 python  GHSA-cx63-2mw6-8hw5  High

What is this PR about? / Why do we need it?

What testing is done?

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 23, 2024
@k8s-ci-robot
Copy link
Contributor

Welcome @andrewjamesbrown!

It looks like this is your first PR to kubernetes-sigs/aws-efs-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-efs-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 23, 2024
@k8s-ci-robot
Copy link
Contributor

Hi @andrewjamesbrown. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Oct 23, 2024
@mskanth972
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Nov 1, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 1, 2024
@mskanth972
Copy link
Contributor

/retest

@mskanth972
Copy link
Contributor

Hi @andrewjamesbrown, I think the new image in the PR is using al23 which is failing the build. Can you update the image to be al2.
https://gallery.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-python-builder

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 1, 2024
andrewjamesbrown
andrewjamesbrown commented Nov 3, 2024
View reviewed changes
Dockerfile

COPY --from=rpm-provider /tmp/rpms/* /tmp/download/

# second param indicates to skip installing dependency rpms, these will be installed manually
# cd, ls, cat, vim, tcpdump, are for debugging
RUN clean_install amazon-efs-utils true && \
clean_install crypto-policies true && \
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Required to avoid /etc/crypto-policies/back-ends/opensslcnf.config not found error from openssl

@andrewjamesbrown
Copy link
Contributor Author

@mskanth972 I've fixed up the PR and tests are passing; let me know if there's anything further for me to do in order to get this shipped. Thanks!

@mskanth972
Copy link
Contributor

can you please squash the commits?

@andrewjamesbrown
Copy link
Contributor Author

can you please squash the commits?

@mskanth972 done!

@andrewjamesbrown
Copy link
Contributor Author

@mskanth972 any update?

@mskanth972
Copy link
Contributor

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 18, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andrewjamesbrown, mskanth972

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 18, 2024
@mskanth972
Copy link
Contributor

@mskanth972 any update?

Sorry, I just added the labels to get merged.

@k8s-ci-robot k8s-ci-robot merged commit a416c3d into kubernetes-sigs:master Nov 18, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ashley-wenyizha Ashley-wenyizha Awaiting requested review from Ashley-wenyizha

@mskanth972 mskanth972 Awaiting requested review from mskanth972

Assignees

@mskanth972 mskanth972

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andrewjamesbrown @k8s-ci-robot @mskanth972