search

RocksLabs / kvrocks-operator

Apache License 2.0
36 stars 15 forks source link

Add docker/build-push-action in the CI. #18

Closed ColinChamber closed 1 year ago

ColinChamber commented 1 year ago

And replace the image repository tianshimoyi with rockslabs

xiao-jay commented 1 year ago

@ColinChamber Hi,May I ask whether a mirror image is suitable for pushing to ghcr.io of github or docker hub?

xiao-jay commented 1 year ago

@ColinChamber @git-hulk Hi,i build a image in mac docker build -t docker.io/xiaojie99999/kvrocks-operator:latest . ,I found docker tell me 

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them

And I exec docker scan xiaojie99999/kvrocks-operator:latest,Could you please tell me how to solve this problem?

Testing xiaojie99999/kvrocks-operator:latest...

Package manager:   deb
Project name:      docker-image|xiaojie99999/kvrocks-operator
Docker image:      xiaojie99999/kvrocks-operator:latest
Platform:          linux/arm64

✔ Tested 3 dependencies for known vulnerabilities, no vulnerable paths found.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

-------------------------------------------------------

Testing xiaojie99999/kvrocks-operator:latest...

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@#c7110b5ffcbb
  From: golang.org/x/net/http2@#c7110b5ffcbb
  Fixed in: 0.4.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@#eeeca48fe776
  From: gopkg.in/yaml.v3@#eeeca48fe776
  Fixed in: 3.0.0

✗ High severity vulnerability found in golang.org/x/net/http2/hpack
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2HPACK-3358253
  Introduced through: golang.org/x/net/http2/hpack@#c7110b5ffcbb
  From: golang.org/x/net/http2/hpack@#c7110b5ffcbb
  Fixed in: 0.7.0

✗ High severity vulnerability found in github.com/satori/go.uuid
  Description: Insecure Randomness
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
  Introduced through: github.com/satori/go.uuid@1.2.0
  From: github.com/satori/go.uuid@1.2.0

✗ High severity vulnerability found in github.com/prometheus/client_golang/prometheus/promhttp
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPROMETHEUSCLIENTGOLANGPROMETHEUSPROMHTTP-2401819
  Introduced through: github.com/prometheus/client_golang/prometheus/promhttp@1.7.1
  From: github.com/prometheus/client_golang/prometheus/promhttp@1.7.1
  Fixed in: 1.11.1

Package manager:   gomodules
Target file:       /manager
Project name:      github.com/RocksLabs/kvrocks-operator
Docker image:      xiaojie99999/kvrocks-operator:latest

Tested 265 dependencies for known vulnerabilities, found 5 vulnerabilities.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

Tested 2 projects, 1 contained vulnerable paths.
ColinChamber commented 1 year ago

Thanks @xiao-jay. Security is indeed crucial, while we are not an expert in the field. Let's start by integrating the build-push process of the image into the CI workflow. We can later understand the background together and fix them in the next phase.

ColinChamber commented 1 year ago

Hi,May I ask whether a mirror image is suitable for pushing to ghcr.io of github or docker hub?

What does "suitable" mean in this context?

xiao-jay commented 1 year ago

Maybe push image to docker.io is suitable?because somebody can not pull image in china if push image to ghcr.io.

在 2023年5月14日,23:55,ColinChamber @.***> 写道:

 Hi,May I ask whether a mirror image is suitable for pushing to ghcr.io of github or docker hub? What does "suitable" mean in this context?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

jiayouxujin commented 1 year ago

@ColinChamber @git-hulk Hi,i build a image in mac docker build -t docker.io/xiaojie99999/kvrocks-operator:latest .,I found docker tell me

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them

And I exec docker scan xiaojie99999/kvrocks-operator:latest,Could you please tell me how to solve this problem?

Testing xiaojie99999/kvrocks-operator:latest...

Package manager:   deb
Project name:      docker-image|xiaojie99999/kvrocks-operator
Docker image:      xiaojie99999/kvrocks-operator:latest
Platform:          linux/arm64

✔ Tested 3 dependencies for known vulnerabilities, no vulnerable paths found.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

-------------------------------------------------------

Testing xiaojie99999/kvrocks-operator:latest...

✗ Medium severity vulnerability found in golang.org/x/net/http2
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322
  Introduced through: golang.org/x/net/http2@#c7110b5ffcbb
  From: golang.org/x/net/http2@#c7110b5ffcbb
  Fixed in: 0.4.0

✗ High severity vulnerability found in gopkg.in/yaml.v3
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557
  Introduced through: gopkg.in/yaml.v3@#eeeca48fe776
  From: gopkg.in/yaml.v3@#eeeca48fe776
  Fixed in: 3.0.0

✗ High severity vulnerability found in golang.org/x/net/http2/hpack
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2HPACK-3358253
  Introduced through: golang.org/x/net/http2/hpack@#c7110b5ffcbb
  From: golang.org/x/net/http2/hpack@#c7110b5ffcbb
  Fixed in: 0.7.0

✗ High severity vulnerability found in github.com/satori/go.uuid
  Description: Insecure Randomness
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
  Introduced through: github.com/satori/go.uuid@1.2.0
  From: github.com/satori/go.uuid@1.2.0

✗ High severity vulnerability found in github.com/prometheus/client_golang/prometheus/promhttp
  Description: Denial of Service (DoS)
  Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPROMETHEUSCLIENTGOLANGPROMETHEUSPROMHTTP-2401819
  Introduced through: github.com/prometheus/client_golang/prometheus/promhttp@1.7.1
  From: github.com/prometheus/client_golang/prometheus/promhttp@1.7.1
  Fixed in: 1.11.1

Package manager:   gomodules
Target file:       /manager
Project name:      github.com/RocksLabs/kvrocks-operator
Docker image:      xiaojie99999/kvrocks-operator:latest

Tested 265 dependencies for known vulnerabilities, found 5 vulnerabilities.

For more free scans that keep your images secure, sign up to Snyk at https://dockr.ly/3ePqVcp

Tested 2 projects, 1 contained vulnerable paths.

Hi, Is this result from the latest dependencies?

ColinChamber commented 1 year ago

You can try to use the latest code (after #16 ). According to @jiayouxujin's attempt, after upgrading the dependencies, there is only one vulnerable package left. @xiao-jay

xiao-jay commented 1 year ago

You can try to use the latest code (after #16 ). According to @jiayouxujin's attempt, after upgrading the dependencies, there is only one vulnerable package left. @xiao-jay

Good job