search

dora-metrics / pelorus

Automate the measurement of organizational behavior
https://pelorus.readthedocs.io/
Apache License 2.0
245 stars 83 forks source link

Pelorus images are getting old, crusty and full of vulnerabilities. We should rebuild and update them more often. #1128

Closed etsauer closed 3 months ago

etsauer commented 5 months ago

OpenShift version

Not related to OpenShift

Problem description

When looking at the vulnerability reports in Quay, I see that the pelorus images are looking pretty gross right now. Can we update them and release a quick z-stream patch?

Steps to reproduce

  1. Follow this link to see CVEs for the pelorus-operator image, as an example: https://quay.io/repository/pelorus/pelorus-operator/manifest/sha256:cee273a931f90722b9b542782df90fc9bd4908d2e432110bad79578c91759b7d?tab=vulnerabilities&fixable=true
  2. Check out the other images in the pelorus or that are showing similar results: https://quay.io/organization/pelorus

Current behavior

Lots of CVEs are returned

Expected behavior

Fewer CVEs shown, and no Critical ones shown in the report.

Code of Conduct

etsauer commented 5 months ago

For the Operator, it looks like the main change we need to make here is to update the version of the helm-operator image we're pulling in.

https://github.com/dora-metrics/pelorus/blob/master/pelorus-operator/Dockerfile#L2

i'll open a PR for that.