search

nasa / opera-sds-pge

Observational Products for End-Users from Remote Sensing Analysis (OPERA)
Apache License 2.0
16 stars 6 forks source link

Investigate means of vulnerability patching for Grype findings #472

Closed collinss-jpl closed 1 month ago

collinss-jpl commented 2 months ago

Now that we can generate container vulnerability reports via Grype, the next step is to experiment with ways to resolve said findings at time of PGE container creation.

Looking at a sample (abbreviated) vulnerability report, the following findings look like good candidates for testing an initial approach:

Name    Version     Type    Severity    State   Fixed In
Fiona   1.9.4   python   Critical   fixed   1.10b1

Fiona   1.9.4   python   High   fixed   1.10b2

Jinja2  3.1.2   python  Medium  fixed   3.1.4

Jinja2  3.1.2   python   Medium  fixed  3.1.3

Pillow  10.0.1  python   High   fixed   10.2.0

Pillow  10.0.1  python   Medium  fixed  10.3.0

So the goal of this ticket will be to modify the container build script for a single PGE (for this go-around lets use DSWx-S1) such that we install the newest "Fixed" version of Fiona/Jinja2/Pillow into the container's conda environment. We should then be able to rerun the Grype scan (via the integration test pipeline) to see if we've removed the above findings from the Grype report. The results of the integration test should also tell us if we've broken anything by introducing the newer package versions.

RKuttruff commented 1 month ago

Would like to quickly note that I found that all the above vulnerabilities come from the SAS image:

[rileykk@opera-pge-ci ~]$ grype --only-fixed artifactory-fn.jpl.nasa.gov:16001/gov/nasa/jpl/opera/adt/opera/dswx-s1:final_1.0
 ✔ Vulnerability DB                [updated]
 ✔ Pulled image
 ✔ Loaded image                                                                                                                                                  artifactory-fn.jpl.nasa.gov:16001/gov/nasa/jpl/opera/adt/opera/dswx-s1:final_1.0
 ✔ Parsed image                                                                                                                                                           sha256:5d69346f9b606174169791e71e734e4017385c5fe7dff8bf6bd7b09f2f1cee3b
 ✔ Cataloged packages              [339 packages]
 ✔ Scanned for vulnerabilities     [54 vulnerabilities]
   ├── 1 critical, 16 high, 31 medium, 5 low, 0 negligible (1 unknown)
   └── 28 fixed
NAME          INSTALLED         FIXED-IN                  TYPE    VULNERABILITY        SEVERITY
Fiona         1.9.4             1.10b1                    python  GHSA-q5fm-55c2-v6j9  Critical
Fiona         1.9.4             1.10b2                    python  GHSA-g4m4-9q4c-mfw6  High
Jinja2        3.1.2             3.1.4                     python  GHSA-h75v-3vvj-5mfj  Medium
Jinja2        3.1.2             3.1.3                     python  GHSA-h5c8-rqwp-cp95  Medium
Pillow        10.0.1            10.2.0                    python  GHSA-3f63-hfp8-52jq  High
Pillow        10.0.1            10.3.0                    python  GHSA-44wm-f244-xhp3  Medium
certifi       2023.7.22         2024.07.04                python  GHSA-248v-346w-9cwc  Low
certifi       2024.6.2          2024.07.04                python  GHSA-248v-346w-9cwc  Low
debug         3.2.6             3.2.7                     npm     GHSA-gxpj-cx7g-858c  Low
gnutls        3.6.16-8.el8_9.3  10:3.6.16-8.el8_9.3_fips  rpm     ELSA-2024-1784       Medium
gnutls        3.6.16-8.el8_9.3  10:3.6.16-8.el8_9.1_fips  rpm     ELSA-2024-12135      Medium
gnutls        3.6.16-8.el8_9.3  10:3.6.16-4.0.1.el8_fips  rpm     ELSA-2022-9221       Medium
idna          3.4               3.7                       python  GHSA-jjg7-2v4v-x38h  Medium
libgcrypt     1.8.5-7.el8_6     10:1.8.5-7.el8_6_fips     rpm     ELSA-2022-9564       High
libgcrypt     1.8.5-7.el8_6     10:1.8.5-6.el8_fips       rpm     ELSA-2022-9263       Medium
pip           23.2.1            23.3                      python  GHSA-mq26-g339-26xf  Medium
requests      2.31.0            2.32.0                    python  GHSA-9wx4-h78v-vm56  Medium
scikit-learn  1.3.1             1.5.0                     python  GHSA-jw8x-6495-233v  Medium
setuptools    39.2.0            65.5.1                    python  GHSA-r9hx-vwmv-q579  High
setuptools    39.2.0            70.0.0                    python  GHSA-cx63-2mw6-8hw5  High
setuptools    68.2.2            70.0.0                    python  GHSA-cx63-2mw6-8hw5  High
setuptools    69.5.1            70.0.0                    python  GHSA-cx63-2mw6-8hw5  High
tornado       6.3.3             6.4.1                     python  GHSA-w235-7p84-xx57  Medium
tornado       6.3.3             6.4.1                     python  GHSA-753j-mpmx-qq6g  Medium
urllib3       2.0.5             2.0.6                     python  GHSA-v845-jxx5-vc9f  Medium
urllib3       2.0.5             2.0.7                     python  GHSA-g4mx-q9vg-27p4  Medium
urllib3       2.0.5             2.2.2                     python  GHSA-34jh-p97f-mpxf  Medium
zipp          3.17.0            3.19.1                    python  GHSA-jfmj-5v4g-7637  Medium
0.79.4
collinss-jpl commented 1 month ago

Closed by #477

Work on this by @RKuttruff has been sufficient to demonstrate ways we can influence the Grype vulnerability report at PGE build time. Further work to address existing vulnerabilities is on hold until we determine whether ADT will prefer to integrate vulnerability scanning into their release workflow.