Import Automation: Zero day vulnerability force upgrade libwebp version

[jehangiramjad]

We continue to be notified that the Docker images are still using libwebp 1.2.4-0.2. Trying with a force version upgrade.

[shifucun]

In this link, you can see each docker image and it's vul details. Looks like the most recent one does not reduce it.

https://pantheon.corp.google.com/gcr/images/datcom-ci/global/datacommons-import-automation-executor?mods=-monitoring_api_staging

Also if you click into the most recent one, looks like there are no fixes for the found issues. So maybe double check the reported vul and the one listed here.

Note the reopened one in b/320239641 refers to an old docker image (which i think is still in deployment in gke). So the latest one should be ok.

[jehangiramjad]

Ok interesting. Perhaps the vulnerability checking internally on prod (which is what's opening the bug) is not getting refreshed. I have now deleted and then redeployed GKE and the latest docker image is associated with the newest commit after yesterday's PR submission. So that should (in theory) mean that the old image being referenced in the bug is no longer being used anywhere. Let me try to "fix" the bug again and see what happens.

[jehangiramjad]

Looks like this isn't needed and that the vulnerability reported is now gone.