For a period of weeks when there were "HIGH" and "CRITICAL" security vulnerabilities flagged on the alpine:3.14 base image, the only way to get your builds to upgrade past them was to explicitly call for 3.14.1.
The alpine:3.14 base image is being upgraded again, and 3.14.2 is out. This PR removes the pin for 3.14.1, and replaces it at 3.14 (which emits this scan when observed through Snyk):
$ docker scan alpine:3.14
Testing alpine:3.14...
Organization: kingdonb
Package manager: apk
Project name: docker-image|alpine
Docker image: alpine:3.14
Platform: linux/amd64
Base image: alpine:3.14.2
Licenses: enabled
✓ Tested 14 dependencies for known issues, no vulnerable paths found.
According to our scan, you are currently using the most secure version of the selected base image
Here is the output on Flux's latest release at current date, for reference:
This is a patch-level change, so I will plan to include it in the 1.24.1 milestone that is still upcoming, date TBD. I don't know if we are linking statically or if we use these SSL libraries, the vulnerability is marked LOW severity.
I won't make any judgment at this point on whether this means we should upgrade immediately, but I think it's fair to say that feedback from community members about whether this change is urgent for you can help influence my opinion. I don't know how close attention our users are paying to things like this, but suspect it varies widely depending on mostly who you work for and what procedures for supply chain security and container image controls you may have in place.
I will probably plan on releasing a new image with this change included either later this week, or early next week, absent any of that type of feedback with potential to be a bit later than that! If someone can show this directly affects Flux, I would be inclined to raise the urgency of the release, but right now it's not exactly clear to me if those effects are even possible.
For a period of weeks when there were "HIGH" and "CRITICAL" security vulnerabilities flagged on the alpine:3.14 base image, the only way to get your builds to upgrade past them was to explicitly call for 3.14.1.
The alpine:3.14 base image is being upgraded again, and 3.14.2 is out. This PR removes the pin for 3.14.1, and replaces it at 3.14 (which emits this scan when observed through Snyk):
Here is the output on Flux's latest release at current date, for reference:
This is a patch-level change, so I will plan to include it in the 1.24.1 milestone that is still upcoming, date TBD. I don't know if we are linking statically or if we use these SSL libraries, the vulnerability is marked LOW severity.
I won't make any judgment at this point on whether this means we should upgrade immediately, but I think it's fair to say that feedback from community members about whether this change is urgent for you can help influence my opinion. I don't know how close attention our users are paying to things like this, but suspect it varies widely depending on mostly who you work for and what procedures for supply chain security and container image controls you may have in place.
I will probably plan on releasing a new image with this change included either later this week, or early next week, absent any of that type of feedback with potential to be a bit later than that! If someone can show this directly affects Flux, I would be inclined to raise the urgency of the release, but right now it's not exactly clear to me if those effects are even possible.