Outdated distroless base image version has many CVEs

Question

Outdated distroless base image version has many CVEs

jtse opened this issue a year ago · comments

James Tse commented a year ago

🐞 bug report

Affected Rule

The issue affects go_image, cc_image and probably other *_images.

Is this a regression?

Not really.

Description

The current release v0.25.0 references old versions of distroless base images (2021-12). Users who are building off the default base images are inadvertently using 1+ year old distroless that contain many CVEs. Specifically, this affects users who are copy-pasting

load(
    "@io_bazel_rules_docker//go:image.bzl",
    _go_image_repos = "repositories",
)

_go_image_repos()

And not specifying a base = ... in their go_image.

Please release a new version of rules_docker with updated the distroless image version.

Alternatively, remove repositories() from go:image.bzl and others. This will mean that users will have to explicitly specify a base image/version.

🔬 Minimal Reproduction

Follow the instructions on https://github.com/bazelbuild/rules_docker#go_image to build a go_image without specifying a base = ...
Upload the go_image to Google Container Repository.

🔥 Exception or Error

Google Container Repository reports the following CVEs:

CVE-2022-1292 Critical 10 Yes openssl OS
CVE-2022-2068 Critical 10 Yes openssl OS
CVE-2022-23219 High 7.5 Yes glibc OS
CVE-2021-3999 High 7.8 Yes glibc OS
CVE-2021-33574 High 7.5 Yes glibc OS
CVE-2022-23218 High 7.5 Yes glibc OS
CVE-2021-4160 Medium 4.3 Yes openssl OS
CVE-2022-2097 Medium 5 – openssl OS
CVE-2022-0778 Medium 5 Yes openssl OS
CVE-2019-1010023 Low 6.8 – glibc OS
CVE-2021-43396 Low 5 Yes glibc OS
CVE-2019-1010022 Low 7.5 – glibc OS
CVE-2018-20796 Low 5 – glibc OS
CVE-2010-0928 Low 4 – openssl OS
CVE-2007-6755 Low 5.8 – openssl OS
CVE-2019-9192 Low 5 – glibc OS
CVE-2010-4756 Low 4 – glibc OS
CVE-2019-1010024 Low 5 – glibc OS
CVE-2019-1010025 Low 5 – glibc OS

🌍 Your Environment

Operating System:

N/A

Output of bazel version:

N/A

Rules_docker version:

  
  v0.25.0 -- latest as of 2023-01-04

Anything else relevant?

sudoforge · Answer 1 · Tue Jan 17 2023 00:51:16 GMT+0800 (China Standard Time)

I'd be a big fan of requiring users to set an explicit base. I'll submit a PR for this later today.

Stefan Sauer · Answer 2 · Thu Feb 02 2023 21:14:03 GMT+0800 (China Standard Time)

@sudoforge did you submit a PR. is your proposal to let users specify the distroless base inter WORKSPACE (repository rule) or on each xx_image rule?

Stefan Sauer · Answer 3 · Mon Feb 20 2023 17:45:18 GMT+0800 (China Standard Time)

What about a release with freshly bumped base to buy some time. In the current form the rules are unusable :/

Alex Eagle · Answer 4 · Mon Mar 13 2023 06:30:53 GMT+0800 (China Standard Time)

FWIW, rules_oci has convenient logic for you just specify latest in the oci_pull rule and it gives you the command to "repin" it https://github.com/bazel-contrib/rules_oci/blob/main/oci/pull.bzl#L372-L378

github-actions · Answer 5 · Sat Sep 09 2023 10:03:40 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs in 30 days.
Collaborators can add an assignee to keep this open indefinitely. Thanks for your contributions to rules_docker!

Stefan Sauer · Answer 6 · Mon Sep 11 2023 16:14:43 GMT+0800 (China Standard Time)

The issue is still there, but we've switched to rules_oci entirely.