search

chainguard-dev / rumble

Data collection for base image CVEs etc.
Apache License 2.0
4 stars 8 forks source link

[Feature] Collect Data on When Image Was Last Built #1

Closed jspeed-meyers closed 1 year ago

jspeed-meyers commented 1 year ago

For instance:

$ crane config --platform linux/amd64 nginx:1.23.3 | jq .created
"2022-12-21T11:28:36.032076444Z"

As suggested by @amouat after looking at the below data:

❯ crane config --platform linux/amd64 nginx:1.23.2 | jq .created
"2022-12-06T04:46:58.320356931Z"
❯ crane config --platform linux/amd64 nginx:1.23.1 | jq .created
"2022-10-05T12:44:20.724514723Z"
❯ crane config --platform linux/amd64 nginx:1.23.0 | jq .created
"2022-07-12T05:00:50.081423817Z"
❯ crane config --platform linux/amd64 nginx:1.22.1 | jq .created
"2022-12-21T11:29:15.107897749Z"
❯ crane config --platform linux/amd64 nginx:1.22.0 | jq .created
"2022-10-05T12:45:11.834223042Z"

There’s some interesting jumps. The point is that if you’re using a version that hasn’t been updated in a while, you’re not only open to vulnerabilities in nginx, but also any other installed software e.g os utilities. By contrast, we are planning to continuously rebuild (some) older version as part of Chainguard Images. It would be interesting to know how quickly versions stop being rebuilt and the effect this has on the accumulation of vulnerabilities

By collecting this data, it would allow analysis of the relationship between the time an image was last rebuilt and the accumulation of CVEs in an image.

jspeed-meyers commented 1 year ago

This feature could also help @amdawson by enabling an analysis that helps empirical determine a "build horizon" policy.