search

NOAA-GSL / VxIngest

Other
2 stars 0 forks source link

Update python tooling in the ingest image #402

Closed ian-noaa closed 2 months ago

ian-noaa commented 3 months ago

Describe the bug

The ingest container image has an out-of-date & vulnerable version of setuptools in it.

To Reproduce

Steps to reproduce the behavior:

  1. Download the docker image: docker pull ghcr.io/noaa-gsl/vxingest/ingest:pr-400
  2. Run our security scanner on it: trivy image --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH ghcr.io/noaa-gsl/vxingest/ingest:pr-400
  3. See the following vulnerability read out
ghcr.io/noaa-gsl/vxingest/ingest:pr-400 (debian 12.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-08-02T09:57:10-06:00       INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌───────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────┐
│        Library        │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                        Title                        │
├───────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────┤
│ setuptools (METADATA) │ CVE-2024-6345 │ HIGH     │ fixed  │ 65.5.1            │ 70.0.0        │ pypa/setuptools: Remote code execution via download │
│                       │               │          │        │                   │               │ functions in the package_index module in...         │
│                       │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-6345           │
└───────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────┘

Expected behavior

Our ingest image should keep the preinstalled Python tooling (setuptools & pip) up-to-date.

Additional context

It appears this was done in the builder layer but we forgot to do it for the prod layer.