search

mathieu-benoit / sail-sharp

Sail Sharp - Security best practices with .NET Core & Kubernetes
https://medium.com/p/c68ba253844a
3 stars 0 forks source link

`-azurelinux3.0-distroless-aot` #155

Open mathieu-benoit opened 1 month ago

mathieu-benoit commented 1 month ago

Testing, not sure yet.

image size packages cves
noble-chiseled 40.7MB 7 5
azurelinux 50.6MB 10 0

docker images:

REPOSITORY                                          TAG       IMAGE ID       CREATED          SIZE
sail-sharp-my-sample-workload-my-sample-container   latest    200dfcd3321d   31 minutes ago   50.6MB
ghcr.io/mathieu-benoit/my-sample-workload           latest    8841581add41   6 days ago       40.7MB

syft ghcr.io/mathieu-benoit/my-sample-workload (based on noble-chiseled):

 ✔ Loaded image                                                                                                                                                                                                                                      ghcr.io/mathieu-benoit/my-sample-workload:latest
 ✔ Parsed image                                                                                                                                                                                                               sha256:8841581add4133f57ed323a152cb0ca7659de94832ece37dde4e283526caa54c
 ✔ Cataloged contents                                                                                                                                                                                                                6fa1280a4ea7603039914011a67641aadc93e22db420223c7b1ac5450498048d
   ├── ✔ Packages                        [7 packages]  
   ├── ✔ File digests                    [6 files]  
   ├── ✔ File metadata                   [6 locations]  
   └── ✔ Executables                     [29 executables]  
NAME             VERSION               TYPE   
base-files       13ubuntu10            deb     
ca-certificates  20240203              deb     
gcc-14-base      14-20240412-0ubuntu1  deb     
libc6            2.39-0ubuntu8.2       deb     
libgcc-s1        14-20240412-0ubuntu1  deb     
libssl3t64       3.0.13-0ubuntu3.2     deb     
openssl          3.0.13-0ubuntu3.2     deb

syft sail-sharp-my-sample-workload-my-sample-container (based on azure-linux, this PR):

 ✔ Loaded image                                                                                                                                                                                                                              sail-sharp-my-sample-workload-my-sample-container:latest
 ✔ Parsed image                                                                                                                                                                                                               sha256:200dfcd3321d703490e44f2fc2e48c5f38cda3c58f242e97cf9e4fd2c4a06eb9
 ✔ Cataloged contents                                                                                                                                                                                                                16e2099d1a37e0db763a7ec3c4abbdf285248b550ec588546a2f9d3f0415ede0
   ├── ✔ Packages                        [10 packages]  
   ├── ✔ File digests                    [39 files]  
   ├── ✔ File metadata                   [39 locations]  
   └── ✔ Executables                     [43 executables]  
[0001]  WARN unable to parse cpe attributes for elf binary package error=unable to parse Attributes string: failed to parse Attributes="": wfn: unsupported format ""
[0001]  WARN unable to parse cpe attributes for elf binary package error=unable to parse Attributes string: failed to parse Attributes="": wfn: unsupported format ""
NAME                         VERSION               TYPE   
azurelinux-release           3.0-18.azl3           rpm     
distroless-packages-minimal  3.0-5.azl3            rpm     
filesystem                   1.1-21.azl3           rpm     
glibc                        2.38                  rpm     
glibc                        2.38-7.azl3           rpm     
libgcc                       13.2.0-7.azl3         rpm     
openssl                      3.3.0                 rpm     
openssl-libs                 3.3.0-2.azl3          rpm     
prebuilt-ca-certificates     2501981:3.0.0-7.azl3  rpm     
tzdata                       2024a-1.azl3          rpm

trivy image ghcr.io/mathieu-benoit/my-sample-workload:

ghcr.io/mathieu-benoit/my-sample-workload (ubuntu 24.04)
========================================================
Total: 5 (UNKNOWN: 0, LOW: 3, MEDIUM: 2, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────────┬─────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │  Status  │ Installed Version │   Fixed Version   │                            Title                            │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────────┼─────────────────────────────────────────────────────────────┤
│ libc6      │ CVE-2016-20013 │ LOW      │ affected │ 2.39-0ubuntu8.2   │                   │ sha256crypt and sha512crypt through 0.6 allow attackers to  │
│            │                │          │          │                   │                   │ cause a denial of...                                        │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2016-20013                  │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2024-6119  │ MEDIUM   │ fixed    │ 3.0.13-0ubuntu3.2 │ 3.0.13-0ubuntu3.4 │ openssl: Possible denial of service in X.509 name checks    │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-6119                   │
│            ├────────────────┼──────────┼──────────┤                   ├───────────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2024-41996 │ LOW      │ affected │                   │                   │ openssl: remote attackers (from the client side) to trigger │
│            │                │          │          │                   │                   │ unnecessarily expensive server-side...                      │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-41996                  │
├────────────┼────────────────┼──────────┼──────────┤                   ├───────────────────┼─────────────────────────────────────────────────────────────┤
│ openssl    │ CVE-2024-6119  │ MEDIUM   │ fixed    │                   │ 3.0.13-0ubuntu3.4 │ openssl: Possible denial of service in X.509 name checks    │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-6119                   │
│            ├────────────────┼──────────┼──────────┤                   ├───────────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2024-41996 │ LOW      │ affected │                   │                   │ openssl: remote attackers (from the client side) to trigger │
│            │                │          │          │                   │                   │ unnecessarily expensive server-side...                      │
│            │                │          │          │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-41996                  │
└────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────────┴─────────────────────────────────────────────────────────────┘

trivy image sail-sharp-my-sample-workload-my-sample-container:

sail-sharp-my-sample-workload-my-sample-container (azurelinux 3.0)
==================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
github-actions[bot] commented 1 month ago

Deployment successfully completed for PR-155! :tada:

View in Humanitec

Deployment ID: 17f4fe385fd0e696

URLs:

my-sample-workload: helloworld-preview.endpoints.mathieu-benoit-gcp.cloud.goog

Deployment diff ### Deployment diff: ```json { "modules": { "add": null, "remove": [], "update": { "my-sample-workload": [ { "from": "", "op": "replace", "path": "/spec/containers/my-sample-container/image", "value": "us-east4-docker.pkg.dev/mathieu-benoit-gcp/containers/my-sample-workload@sha256:acb59fa8b5ffdd593a59279ced36231c07aa17c1ea86f54ac6ee0abf62d2e8e5" }, { "from": "", "op": "replace", "path": "/spec/annotations/humanitec.io~1workload-source", "value": "https://github.com/mathieu-benoit/sail-sharp/blob/azure-linux/score/score.yaml" } ] } }, "shared": null } ```
Active Resources Usage ### Active Resources Usage: ```none ResType Class ResID Usage Last referencing deployment Last referencing deployment created ago agent default agent current deploy 17f4fe385fd0e696 39.717571338s base-env default base-env current deploy 17f4fe385fd0e696 39.717575005s k8s-cluster default k8s-cluster current deploy 17f4fe385fd0e696 39.717577419s k8s-namespace default k8s-namespace current deploy 17f4fe385fd0e696 39.717579593s logging default logging current deploy 17f4fe385fd0e696 39.717581447s k8s-service-account default modules.my-sample-workload current deploy 17f4fe385fd0e696 39.717583s workload default modules.my-sample-workload current deploy 17f4fe385fd0e696 39.717584512s dns default modules.my-sample-workload.externals.dns current deploy 17f4fe385fd0e696 39.717585985s ingress default modules.my-sample-workload.externals.dns current deploy 17f4fe385fd0e696 39.717586987s tls-cert default modules.my-sample-workload.externals.dns current deploy 17f4fe385fd0e696 39.717587909s route default modules.my-sample-workload.externals.route current deploy 17f4fe385fd0e696 39.71758872s ```
Resources Graph ### Resources Graph: Use a [Graphviz](https://graphviz.org) viewer for a visual representation. ```none strict digraph { label="Resource Graph app: my-sample-app, env: pr-155 green: virtual nodes (environment, workloads), blue: active resources "; labelloc="t"; overlap="false"; splines="true"; "c59327f8e001313b56a874001d8bc121464c6f2a" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: dns class: default provision time: 8.418092s", style="filled", tooltip="guresid: c59327f8e001313b56a874001d8bc121464c6f2a", weight=0 ]; "b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload type: workload class: default provision time: 158.532ms", style="filled", tooltip="guresid: b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829", weight=0 ]; "b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" -> "8b4f30c06963f73aca04f86bdc20497f9d34b4ce" [ weight=0 ]; "b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" -> "c59327f8e001313b56a874001d8bc121464c6f2a" [ weight=0 ]; "b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" -> "2888a3af118281465760421248ae6dad5d84ddae" [ weight=0 ]; "eea2c9b39516b845359ae69f4594dafbf68a55e0" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: tls-cert class: default provision time: 465.393ms", style="filled", tooltip="guresid: eea2c9b39516b845359ae69f4594dafbf68a55e0", weight=0 ]; "eea2c9b39516b845359ae69f4594dafbf68a55e0" -> "c59327f8e001313b56a874001d8bc121464c6f2a" [ weight=0 ]; "8b4f30c06963f73aca04f86bdc20497f9d34b4ce" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.route type: route class: default provision time: 11.511993s", style="filled", tooltip="guresid: 8b4f30c06963f73aca04f86bdc20497f9d34b4ce", weight=0 ]; "2888a3af118281465760421248ae6dad5d84ddae" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload type: k8s-service-account class: default provision time: 7.44103s", style="filled", tooltip="guresid: 2888a3af118281465760421248ae6dad5d84ddae", weight=0 ]; "65a1ea89c1f867ad4d3b0a75b334349e049f04c3" [ color="2", colorscheme="blues3", fillcolor="1", label="id: base-env type: base-env class: default provision time: 15.434542s", style="filled", tooltip="guresid: 65a1ea89c1f867ad4d3b0a75b334349e049f04c3", weight=0 ]; "base" [ color="2", colorscheme="greens3", fillcolor="1", label="base", style="filled", weight=0 ]; "base" -> "65a1ea89c1f867ad4d3b0a75b334349e049f04c3" [ weight=0 ]; "my-sample-workload" [ color="2", colorscheme="greens3", fillcolor="1", label="workload.my-sample-workload", style="filled", weight=0 ]; "my-sample-workload" -> "base" [ weight=0 ]; "my-sample-workload" -> "b1ebfb8ad15fba3f2d3417f7fe767fc1af28e829" [ weight=0 ]; "6d59e208452024b3e93fbf5ff09a35300fd0ba0c" [ color="2", colorscheme="blues3", fillcolor="1", label="id: modules.my-sample-workload.externals.dns type: ingress class: default provision time: 6.840599s", style="filled", tooltip="guresid: 6d59e208452024b3e93fbf5ff09a35300fd0ba0c", weight=0 ]; "6d59e208452024b3e93fbf5ff09a35300fd0ba0c" -> "c59327f8e001313b56a874001d8bc121464c6f2a" [ weight=0 ]; "6d59e208452024b3e93fbf5ff09a35300fd0ba0c" -> "eea2c9b39516b845359ae69f4594dafbf68a55e0" [ weight=0 ]; } ```