Bumped base images to python:3.8.12-alpine3.15

[log2]

This removes python:3-alpine, generic but susceptible to which version is actually latest at build time. See details in #60

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

This fixes removes (as of 6/1/2022) most vulnerabilities found in v.1.4.2.

BEFORE FIXING BASE IMAGE TAG:

• trivy-report-imageswap.txt
• trivy-report-imageswap-init.txt

AFTER FIXING BASE IMAGE TAG:

• trivy-report-imageswap-after-fix.txt (derived via docker build -t imageswap . && trivy image imageswap >trivy-report-imageswap-after-fix.txt in directory app/imageswap)
• trivy-report-imageswap-init-after-fix.txt (derived via docker build -t imageswap-init . && trivy image imageswap-init >trivy-report-imageswap-init-after-fix.txt in directory app/imageswap-init)

Which issue(s) this PR fixes:

Fixes #60

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., usage docs, etc.:

[log2]

Please note that I have also produced a branch (see https://github.com/log2/imageswap-webhook/tree/feature/fix-base-image-vulnerabilities-py3.11 ) with same purpose, but targeting Python 3.11 instead of Python 3.8. I have opened this PR, for Python 3.8, just to be more conservative with respect to runtime versions, but if you prefer I can open a PR for Python 3.11-versions at a later time.

[phenixblue]

Hello and thanks for the PR. I am returning home from holiday and will not be fully available for a bit. I'll try to get around to reviewing this as soon as possible.

[phenixblue]

I don't think this is needed. the 3-alpine tag for the python image is somewhat special as it will always point at the latest python 3 version with the latest alpine version. It's a matter of rebuilding the image.

Here's an example where I just run make build-imageswap-versioned on the root of this repo with the v1.4.2 tag checked out:

$ trivy image thewebroot/imageswap:v1.4.2

2022-01-10T23:22:57.133-0500    INFO    Detected OS: alpine
2022-01-10T23:22:57.134-0500    INFO    Detecting Alpine vulnerabilities...
2022-01-10T23:22:57.136-0500    INFO    Number of language-specific files: 1
2022-01-10T23:22:57.136-0500    INFO    Detecting python-pkg vulnerabilities...

thewebroot/imageswap:v1.4.2 (alpine 3.15.0)
===========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Python (python-pkg)
===================
Total: 1 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

+----------+------------------+----------+-------------------+---------------+--------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |             TITLE              |
+----------+------------------+----------+-------------------+---------------+--------------------------------+
| Werkzeug | pyup.io-42050    | UNKNOWN  | 2.0.1             | 2.0.2         | Werkzeug version 2.0.2         |
|          |                  |          |                   |               | improves the security of the   |
|          |                  |          |                   |               | debugger cookies. "SameSite"   |
|          |                  |          |                   |               | attribute...                   |
+----------+------------------+----------+-------------------+---------------+--------------------------------+

There are a couple of enhancements coming that will lead to a new release and that should produce a new image with fixes for the vulnerabilities you referenced. Keeping the generic image is less work/upkeep as of right now. While the reference for the python image isn't consistent, the reference on the imageswap tags are.

[fragolinux]

I beg your pardon, want to clarify the issue with the 3-alpine tag used... Ok, it always points to latest python version, but actually the problem is not with version 3.8 or 3.11, instead it's with the "LATEST" reference by itself! If I test your image today, with that tag, I get some security issues, if I test it tomorrow I'm not getting "additional" issues with SAME image, but eventually with a newer one, which distorts the problem, I can't have repeatable results as the image "went eleven"... We need a way to be sure that a tagged/hashed image is IMMUTABLE, so we can point FOR SURE to a specific image which eventually solved the problems... "latest" or moving versions are not good for CI/CD, too, and this is exactly the case here... Hope to be clear 😁

[phenixblue]

Sorry for the delay on this.

After reviewing this with the other project maintainer, we feel like the current ImageSwap versioned images are stable and meet the original needs being discussed here. Fixes for CVE's will be picked up on subsequent releases of ImageSwap and we will be trying to get back to regular releases. Thanks for reporting the CVE's and keep an eye out for the v1.4.3 release.