Skip to content

images: Use Kubernetes debian-base:bullseye-v1.1.0 as base image#13546

Merged
ptabor merged 1 commit intoetcd-io:mainfrom
justaugustus:debian-base-bullseye
Dec 21, 2021
Merged

images: Use Kubernetes debian-base:bullseye-v1.1.0 as base image#13546
ptabor merged 1 commit intoetcd-io:mainfrom
justaugustus:debian-base-bullseye

Conversation

@justaugustus
Copy link
Copy Markdown
Contributor

@justaugustus justaugustus commented Dec 17, 2021

Follow-up to #13376, now that an updated debian-base image was promoted in kubernetes/release#2371.

Signed-off-by: Stephen Augustus [email protected]

cc: @hexfusion @mrueg

Previous scan against k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0:

docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0
2021-12-17T21:15:53.638Z	INFO	Need to update DB
2021-12-17T21:15:53.639Z	INFO	Downloading DB...
25.23 MiB / 25.23 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 12.94 MiB p/s 2s
2021-12-17T21:15:58.838Z	INFO	Detected OS: debian
2021-12-17T21:15:58.838Z	INFO	Detecting Debian vulnerabilities...
2021-12-17T21:15:58.851Z	INFO	Number of language-specific files: 0

k8s.gcr.io/build-image/debian-base:bullseye-v1.0.0 (debian 11.0)
================================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 1, CRITICAL: 1)

+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
|     LIBRARY      | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION   |                 TITLE                 |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
| libgssapi-krb5-2 | CVE-2021-37750   | MEDIUM   | 1.18.3-6          | 1.18.3-6+deb11u1 | krb5: NULL pointer dereference        |
|                  |                  |          |                   |                  | in process_tgs_req() in               |
|                  |                  |          |                   |                  | kdc/do_tgs_req.c via a FAST inner...  |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-37750 |
+------------------+                  +          +                   +                  +                                       +
| libk5crypto3     |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+                  +          +                   +                  +                                       +
| libkrb5-3        |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+                  +          +                   +                  +                                       +
| libkrb5support0  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
|                  |                  |          |                   |                  |                                       |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+
| libssl1.1        | CVE-2021-3711    | CRITICAL | 1.1.1k-1          | 1.1.1k-1+deb11u1 | openssl: SM2 Decryption               |
|                  |                  |          |                   |                  | Buffer Overflow                       |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3711  |
+                  +------------------+----------+                   +                  +---------------------------------------+
|                  | CVE-2021-3712    | HIGH     |                   |                  | openssl: Read buffer overruns         |
|                  |                  |          |                   |                  | processing ASN.1 strings              |
|                  |                  |          |                   |                  | -->avd.aquasec.com/nvd/cve-2021-3712  |
+------------------+------------------+----------+-------------------+------------------+---------------------------------------+

New scan against k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0:

docker run -it aquasec/trivy:0.21.2 image --ignore-unfixed k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0
2021-12-17T21:17:21.382Z	INFO	Need to update DB
2021-12-17T21:17:21.382Z	INFO	Downloading DB...
25.23 MiB / 25.23 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 12.24 MiB p/s 2s
2021-12-17T21:17:26.077Z	INFO	Detected OS: debian
2021-12-17T21:17:26.077Z	INFO	Detecting Debian vulnerabilities...
2021-12-17T21:17:26.092Z	INFO	Number of language-specific files: 0

k8s.gcr.io/build-image/debian-base:bullseye-v1.1.0 (debian 11.1)
================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

hexfusion
hexfusion approved these changes Dec 17, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@hexfusion hexfusion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you!

@justaugustus
Copy link
Copy Markdown
Contributor Author

justaugustus commented Dec 17, 2021

Note: Consider dedupe-ing the Dockerfiles by using docker buildx which can build for multi-arch

@justaugustus
Copy link
Copy Markdown
Contributor Author

justaugustus commented Dec 17, 2021

thank you!

Happy to help, Sam! :)

This was referenced Dec 17, 2021
Merged
Merged
@ptabor ptabor merged commit 7ff2c77 into etcd-io:main Dec 21, 2021
@yank1
Copy link
Copy Markdown

yank1 commented Dec 23, 2021

HI @justaugustus ,
Is it a good idea for useing distroless image as the base image ?
like #13556

@serathius
Copy link
Copy Markdown
Member

serathius commented Dec 24, 2021

+1 for distroless.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@hexfusion hexfusion hexfusion approved these changes

@ptabor ptabor ptabor approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@justaugustus @yank1 @serathius @hexfusion @ptabor