fnproject / fn

The container native, cloud agnostic serverless platform.
http://fnproject.io
Apache License 2.0
5.76k stars 405 forks source link

[security] Update base docker images with necessary upgrades #1475

Open denismakogon opened 5 years ago

denismakogon commented 5 years ago

Description

As a official FDK maintainers we committed ourselves to deliver best tooling for doing serverless with Fn.

One of the first things we need to fix is the security of docker base images for the particular runtimes like Go, Java, Node, Python and Ruby.

Unfortunately, we have obvious problems with our base images because certain packages must be updated ASAP.

Steps to reproduce the issue:

snyk test --docker <fn-runtime-image> --json | docker run --rm -i denismakogon/snyk-filter:0.0.6

replace with any of the following images:

Describe the results you received: I'll post here some results of testing our base images here:

Describe the results you expected: Well, hard to say, but I'd like to see no issues with packages in base images.

Action items

carimura commented 5 years ago

Thanks for starting this. +1 on the CI job.

rdallman commented 5 years ago

there's a more pressing issue of actually updating the runtime images, which probably precedes this task. none of them have automatic update in CI on a cron schedule regularly (and few on a master gets updated schedule, too). all that this says is that we don't run apk upgrade, which is easy to fix. I don't disagree about doing this but we should automate it. I could just as easily every monday send an email that says we haven't updated the packages in the runtime images -- the info we're getting here isn't very valuable at least from what I can tell and could be automated away. though it's fine for us to run snyk, at present we don't even have the runtime images set up to update, think that task precedes this or this is just annoying and not telling us anything we don't already know.

denismakogon commented 5 years ago

thanks for the feedback, however, i don't feel like there's a way to automate fixes for package security issues, because not all problems can be solved only by doing apt-get update, from what I know you'd need to add security package index and basically wait for an update to show up, but again, there art two types of fixes: the one that comes with an upgrade and the one that comes with patch and the patch here is way too complex because you'd need to build packages by yourself.

the tool I've made shows only fixable issues via upgrade, which is kinda can be gated easily by the CI.

denismakogon commented 5 years ago

First, I'd like to move FDK base images out of dockers repo to FDK repos. Then we can gate the Dockerfiles at every commit with the tool I've made.

rdallman commented 5 years ago

moving dockerfiles to fdks is fine. please make sure there is a script for updating them (fnproject/dockers has a script). we need to get a docker hub bot and set up CI to do this chore, too, ideally, it's manual atm. and further, as stated, need to set up cron since the FDKs are updated infrequently but can do that after getting CI bot set up.

denismakogon commented 5 years ago

First bits of work requiring reviews:

rdallman commented 5 years ago

can we cover all FDKs before merging any one of them? I am very much trying to protect against the situation where we update a couple of them with all this fancy build stuff but leave the others to rot, also not to have intermediate patches that we aren't sure about with repos in different states to track. it would be nice to be consistent across everything, for the build stuff as well as this.

reviewing is ok first, to figure out the shape of all this stuff.

denismakogon commented 5 years ago

Right, at first I'd like to have a complete PR for one of the FDKs (i started with Python) and then just populate the work across the others.

denismakogon commented 5 years ago

Okay, now both Python and Node FDKs use Anchore to run security checks, which is totally cool because it's free and built-in into Circle CI via orbs. The only thing that is still unclear being described here: https://github.com/anchore/anchore-engine/issues/174