search

robusta-dev / robusta

Kubernetes observability and automation, with an awesome Prometheus integration
https://home.robusta.dev/
MIT License
2.49k stars 246 forks source link

is there any reason robusta has to stick with python 3.9? #1426

Open tuananh-vpbank opened 1 month ago

tuananh-vpbank commented 1 month ago

is there any reason robusta need to stick with python 3.9.

i know that python 3.9 still more than a year left til EOL but the base image has way too many known CVEs. It would be awesome if we can update to a more secure base image.

github-actions[bot] commented 1 month ago

Hi 👋, thanks for opening an issue! Please note, it may take some time for us to respond, but we'll get back to you as soon as we can!

aantn commented 1 month ago

Hi @tuananh-vpbank, We're planning to handle the CVEs soon, either by updating to the latest python or staying with python 3.9 and changing the base image. Hope to update soon!

aantn commented 1 month ago

And to answer your original question, I don't think there's a fundamental reason to stay w/ 3.9. Just requires testing and verifying that there isn't an issue with any of the dependencies.

Flou21 commented 1 month ago

is there a concrete plan to fix / release this the issue #819 has been open for a year without any feedback

I really like using robusta and think it's a bummer that this problem exists at all

aantn commented 1 month ago

Yes, we plan to fix it in the next few weeks. I've discussed internally and we're prioritizing this.

arikalon1 commented 1 week ago

Hi @tuananh-vpbank , @Flou21

Today we released version 0.14.0 which changed to python 3.11 In addition, we upgraded all the packages that had CVEs

Flou21 commented 1 week ago

many thanks for the update looks much better now than before

neuvector tells me that high vulnerabilities have gone down from 139 to 63 and medium vulnerabilities from 581 to 83

so not perfect yet, but thanks for the update I really appreciate it

arikalon1 commented 1 week ago

thanks for the feedback @Flou21

We scanned the image with gcr image scanning, and snyk and it shows only 6 CVEs with severity medium or above. I'm not sure why the results are so different

Flou21 commented 1 week ago

Thanks for the information @arikalon1 I'm a bit surprised myself.

I use Neuvector to scan all container images in my Kubernetes clusters. And trivy for manual scans and as a step in CI pipelines

I think the biggest problem is the base image rather than robusta itself The python base image itself already has 116 vulnerabilities (scanner: trivy)

microgenv2:~ # trivy image python:3.11-slim
2024-06-27T11:12:45+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:12:45+02:00       INFO    Secret scanning is enabled
2024-06-27T11:12:45+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:12:45+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:12:47+02:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pip" version="24.0"
2024-06-27T11:12:49+02:00       INFO    Detected OS     family="debian" version="12.5"
2024-06-27T11:12:49+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=106
2024-06-27T11:12:49+02:00       INFO    Number of language-specific files       num=1
2024-06-27T11:12:49+02:00       INFO    [python-pkg] Detecting vulnerabilities...

python:3.11-slim (debian 12.5)

Total: 116 (UNKNOWN: 0, LOW: 67, MEDIUM: 37, HIGH: 11, CRITICAL: 1)

And the robusta image 204 with trivy

microgenv2:~ # trivy image robustadev/robusta-runner:0.14.0
2024-06-27T11:13:58+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:13:58+02:00       INFO    Secret scanning is enabled
2024-06-27T11:13:58+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:13:58+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:13:59+02:00       INFO    Detected OS     family="debian" version="12.5"
2024-06-27T11:13:59+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=154
2024-06-27T11:13:59+02:00       INFO    Number of language-specific files       num=1
2024-06-27T11:13:59+02:00       INFO    [python-pkg] Detecting vulnerabilities...

robustadev/robusta-runner:0.14.0 (debian 12.5)

Total: 204 (UNKNOWN: 0, LOW: 134, MEDIUM: 41, HIGH: 26, CRITICAL: 3)

I still don't understand why the official python image has so many vulnerabilities

The newer python:3.12-slim python image also has quite a few

microgenv2:~ # trivy image python:3.12-slim
2024-06-27T11:18:24+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:18:24+02:00       INFO    Secret scanning is enabled
2024-06-27T11:18:24+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:18:24+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:18:27+02:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pip" version="24.0"
2024-06-27T11:18:28+02:00       INFO    Detected OS     family="debian" version="12.5"
2024-06-27T11:18:28+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=106
2024-06-27T11:18:28+02:00       INFO    Number of language-specific files       num=1
2024-06-27T11:18:28+02:00       INFO    [python-pkg] Detecting vulnerabilities...

python:3.12-slim (debian 12.5)

Total: 116 (UNKNOWN: 0, LOW: 67, MEDIUM: 37, HIGH: 11, CRITICAL: 1)

More vulnerabilities were also identified in this Snyk WebUI: https://snyk.io/test/docker/python%3A3.11-slim

docker hub itself shows less: https://hub.docker.com/layers/library/python/3.11-slim/images/sha256-5a669c7aa9c6d3565ec2d1d50a8344696860ddabb7b8a8f64cfdd38cc932b172?context=explore

There are other base images with less / no vulnerabilities. But the official docker hub images seem to have a relatively big problem This is the image I use most of the time:

microgenv2:~ # trivy image registry.suse.com/bci/python:3.12
2024-06-27T11:35:41+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:35:41+02:00       INFO    Secret scanning is enabled
2024-06-27T11:35:41+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:35:41+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:35:42+02:00       INFO    Detected OS     family="suse linux enterprise server" version="15.6"
2024-06-27T11:35:42+02:00       WARN    This OS version is not on the EOL list  family="suse linux enterprise server" version="15.6"
2024-06-27T11:35:42+02:00       INFO    [suse linux enterprise server] Detecting vulnerabilities...     os_version="15.6" pkg_num=166
2024-06-27T11:35:42+02:00       INFO    Number of language-specific files       num=0

registry.suse.com/bci/python:3.12 (suse linux enterprise server 15.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

I think the issue can be closed. more than updating the base image should not be done. maybe something else can be done in the future