Remove/upgrade linux-libc-dev in docker images

jozo commented 1 year ago

First check

[X] I added a descriptive title to this issue.
[X] I used the GitHub search to find a similar issue and didn't find it.
[X] I searched the Prefect documentation for this issue.
[X] I checked that this issue is related to Prefect and not one of its dependencies.

Bug summary

Hi,

our security scanners notified us regarding a few CVEs in Prefect docker images. You should rebuild docker images (to install the newer version of linux-libc-dev) or remove build-essential at the end of the Dockerfile (I guess linux-libc-dev is installed as part of build-essential).

Reproduction

grype prefecthq/prefect:2.11.0-python3.11 --fail-on medium --only-fixed

Error

NAME            INSTALLED  FIXED-IN  TYPE  VULNERABILITY   SEVERITY 
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2022-48425  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-2124   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-21255  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-2156   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-2269   Medium    
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3090   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-31084  Medium    
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3141   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3212   Medium    
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32247  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32248  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32250  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32252  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32254  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32257  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-32258  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3268   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3269   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3390   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-34256  Medium    
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-35788  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-35823  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-35824  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-35826  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-35828  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-35829  High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3609   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-3610   High      
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38426  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38427  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38428  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38429  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38430  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38431  Unknown   
linux-libc-dev  6.1.27-1   6.1.37-1  deb   CVE-2023-38432  Unknown   
linux-libc-dev  6.1.27-1   6.1.38-1  deb   CVE-2023-31248  High      
linux-libc-dev  6.1.27-1   6.1.38-1  deb   CVE-2023-35001  High
1 error occurred:
    * discovered vulnerabilities at or above the severity threshold

Versions

Version:             2.11.0
API version:         0.8.4
Python version:      3.11.4
Git commit:          eeb9e219
Built:               Thu, Jul 20, 2023 4:34 PM
OS/Arch:             linux/x86_64
Profile:             default
Server type:         ephemeral
Server:
  Database:          sqlite
  SQLite version:    3.40.1

Additional context

No response

hronecviktor commented 1 year ago

+1 for upgrade, 6.1.38-1 is in bookworm repos

Google's GKE Security Posture is also complaining about the 37 CVEs

jawnsy commented 1 year ago

Hello there! Thanks for the report.

We rebuild against the upstream python images in Docker Library, and we do not have any kind of build/package caching, so once this is resolved in the official Docker images, then they should be resolved in our next release build.

hronecviktor commented 1 year ago

Thanks for the info @jawnsy Have you considered running apt upgrade during the docker build or does this go against some reproducibility goal you are aiming for? I might be missing something here, but I think the chances of an upgrade breaking something (on a regularly updated stable debian base) are miniscule and people can always pin to a hash if they really want to freeze everything. I would consider upgrading to be a safer alternative to distributing images with unpatched CVEs that have a fix available. E: No need to run a full upgrade, here's what we are using to upgrade only packages with security fixes: apt-get update && apt-get install -y debsecan && apt-get install --no-install-recommends -y $(debsecan --suite bullseye --format packages --only-fixed)

PrefectHQ / prefect