Open tuananh-vpbank opened 1 month ago
Hi @tuananh-vpbank, We're planning to handle the CVEs soon, either by updating to the latest python or staying with python 3.9 and changing the base image. Hope to update soon!
And to answer your original question, I don't think there's a fundamental reason to stay w/ 3.9. Just requires testing and verifying that there isn't an issue with any of the dependencies.
is there a concrete plan to fix / release this the issue #819 has been open for a year without any feedback
I really like using robusta and think it's a bummer that this problem exists at all
Yes, we plan to fix it in the next few weeks. I've discussed internally and we're prioritizing this.
Hi @tuananh-vpbank , @Flou21
Today we released version 0.14.0
which changed to python 3.11
In addition, we upgraded all the packages that had CVEs
many thanks for the update looks much better now than before
neuvector tells me that high vulnerabilities have gone down from 139 to 63 and medium vulnerabilities from 581 to 83
so not perfect yet, but thanks for the update I really appreciate it
thanks for the feedback @Flou21
We scanned the image with gcr image scanning, and snyk and it shows only 6 CVEs with severity medium or above. I'm not sure why the results are so different
Thanks for the information @arikalon1 I'm a bit surprised myself.
I use Neuvector to scan all container images in my Kubernetes clusters. And trivy for manual scans and as a step in CI pipelines
I think the biggest problem is the base image rather than robusta itself The python base image itself already has 116 vulnerabilities (scanner: trivy)
microgenv2:~ # trivy image python:3.11-slim
2024-06-27T11:12:45+02:00 INFO Vulnerability scanning is enabled
2024-06-27T11:12:45+02:00 INFO Secret scanning is enabled
2024-06-27T11:12:45+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:12:45+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:12:47+02:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.0"
2024-06-27T11:12:49+02:00 INFO Detected OS family="debian" version="12.5"
2024-06-27T11:12:49+02:00 INFO [debian] Detecting vulnerabilities... os_version="12" pkg_num=106
2024-06-27T11:12:49+02:00 INFO Number of language-specific files num=1
2024-06-27T11:12:49+02:00 INFO [python-pkg] Detecting vulnerabilities...
python:3.11-slim (debian 12.5)
Total: 116 (UNKNOWN: 0, LOW: 67, MEDIUM: 37, HIGH: 11, CRITICAL: 1)
And the robusta image 204 with trivy
microgenv2:~ # trivy image robustadev/robusta-runner:0.14.0
2024-06-27T11:13:58+02:00 INFO Vulnerability scanning is enabled
2024-06-27T11:13:58+02:00 INFO Secret scanning is enabled
2024-06-27T11:13:58+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:13:58+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:13:59+02:00 INFO Detected OS family="debian" version="12.5"
2024-06-27T11:13:59+02:00 INFO [debian] Detecting vulnerabilities... os_version="12" pkg_num=154
2024-06-27T11:13:59+02:00 INFO Number of language-specific files num=1
2024-06-27T11:13:59+02:00 INFO [python-pkg] Detecting vulnerabilities...
robustadev/robusta-runner:0.14.0 (debian 12.5)
Total: 204 (UNKNOWN: 0, LOW: 134, MEDIUM: 41, HIGH: 26, CRITICAL: 3)
I still don't understand why the official python image has so many vulnerabilities
The newer python:3.12-slim
python image also has quite a few
microgenv2:~ # trivy image python:3.12-slim
2024-06-27T11:18:24+02:00 INFO Vulnerability scanning is enabled
2024-06-27T11:18:24+02:00 INFO Secret scanning is enabled
2024-06-27T11:18:24+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:18:24+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:18:27+02:00 INFO [python] License acquired from METADATA classifiers may be subject to additional terms name="pip" version="24.0"
2024-06-27T11:18:28+02:00 INFO Detected OS family="debian" version="12.5"
2024-06-27T11:18:28+02:00 INFO [debian] Detecting vulnerabilities... os_version="12" pkg_num=106
2024-06-27T11:18:28+02:00 INFO Number of language-specific files num=1
2024-06-27T11:18:28+02:00 INFO [python-pkg] Detecting vulnerabilities...
python:3.12-slim (debian 12.5)
Total: 116 (UNKNOWN: 0, LOW: 67, MEDIUM: 37, HIGH: 11, CRITICAL: 1)
More vulnerabilities were also identified in this Snyk WebUI: https://snyk.io/test/docker/python%3A3.11-slim
docker hub itself shows less: https://hub.docker.com/layers/library/python/3.11-slim/images/sha256-5a669c7aa9c6d3565ec2d1d50a8344696860ddabb7b8a8f64cfdd38cc932b172?context=explore
There are other base images with less / no vulnerabilities. But the official docker hub images seem to have a relatively big problem This is the image I use most of the time:
microgenv2:~ # trivy image registry.suse.com/bci/python:3.12
2024-06-27T11:35:41+02:00 INFO Vulnerability scanning is enabled
2024-06-27T11:35:41+02:00 INFO Secret scanning is enabled
2024-06-27T11:35:41+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:35:41+02:00 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:35:42+02:00 INFO Detected OS family="suse linux enterprise server" version="15.6"
2024-06-27T11:35:42+02:00 WARN This OS version is not on the EOL list family="suse linux enterprise server" version="15.6"
2024-06-27T11:35:42+02:00 INFO [suse linux enterprise server] Detecting vulnerabilities... os_version="15.6" pkg_num=166
2024-06-27T11:35:42+02:00 INFO Number of language-specific files num=0
registry.suse.com/bci/python:3.12 (suse linux enterprise server 15.6)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
I think the issue can be closed. more than updating the base image should not be done. maybe something else can be done in the future
is there any reason robusta need to stick with python 3.9.
i know that python 3.9 still more than a year left til EOL but the base image has way too many known CVEs. It would be awesome if we can update to a more secure base image.