Produced docker image contains multiple vulnerabilities, please update
ilanKeshet opened this issue · comments
Hi
generating a docker image from the Dockerfile in the repository root produces an artifact with multiple known CVEs which already have a fix.
please update
(.venv) ➜ code git clone https://github.com/opsgenie/oec.git
Cloning into 'oec'...
remote: Enumerating objects: 3320, done.
remote: Counting objects: 100% (17/17), done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 3320 (delta 2), reused 7 (delta 1), pack-reused 3303
Receiving objects: 100% (3320/3320), 13.83 MiB | 3.08 MiB/s, done.
Resolving deltas: 100% (1231/1231), done.
(.venv) ➜ code cd oec
(.venv) ➜ oec git:(master) ✗ docker build . -t oec
[+] Building 12.8s (17/17) FINISHED
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 813B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load metadata for docker.io/library/python:alpine3.12 2.3s
=> [internal] load metadata for docker.io/library/golang:1.14 1.5s
=> [auth] library/python:pull token for registry-1.docker.io 0.0s
=> [auth] library/golang:pull token for registry-1.docker.io 0.0s
=> [internal] load build context 0.0s
=> => transferring context: 104.92kB 0.0s
=> CACHED [builder 1/4] FROM docker.io/library/golang:1.14@sha256:1a7173b5b9a3af3e29a5837e0b2027e1c438fd1b83bbee8f221355087ad416d6 0.0s
=> [base 1/5] FROM docker.io/library/python:alpine3.12@sha256:7f73901e568630443fc50e358b76603492e89c9bf330caf689e856a018f135f0 0.0s
=> [builder 2/4] ADD . /go/src/github.com/opsgenie/oec 0.1s
=> [builder 3/4] WORKDIR /go/src/github.com/opsgenie/oec/main 0.0s
=> [builder 4/4] RUN export GIT_COMMIT=$(git rev-list -1 HEAD) && CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags "-X main.OECCommitVersion=$GIT_COMMIT -X main.OECVersion=1.0.1" -o nocgo -o /oec . 9.9s
=> CACHED [base 2/5] RUN pip install requests 0.0s
=> CACHED [base 3/5] RUN addgroup -S opsgenie && adduser -S opsgenie -G opsgenie && apk update && apk add --no-cache git ca-certificates && update-ca-certificates 0.0s
=> CACHED [base 4/5] COPY --from=builder /oec /opt/oec 0.0s
=> CACHED [base 5/5] RUN mkdir -p /var/log/opsgenie && chown -R opsgenie:opsgenie /var/log/opsgenie && chown -R opsgenie:opsgenie /opt/oec 0.0s
=> exporting to image 0.0s
=> => exporting layers 0.0s
=> => writing image sha256:1a131a4c33851d29490fdb82e6c2ac53268b3e240cfdc64407b7be1206d09a82 0.0s
=> => naming to docker.io/library/oec
(.venv) ➜ oec git:(master) ✗ grype --only-fixed oec:latest
✔ Vulnerability DB [no update available]
New version of grype is available: 0.52.0 (currently running: 0.51.0)
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [77 packages]
✔ Scanned image [92 vulnerabilities]
[0002] WARN some package(s) are missing CPEs. This may result in missing vulnerabilities. You may autogenerate these using: --add-cpes-if-none
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
apk-tools 2.10.6-r0 2.10.7-r0 apk CVE-2021-36159 Critical
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42383 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42378 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42374 Medium
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42379 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42380 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42382 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42384 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42386 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42385 High
busybox 1.31.1-r20 1.31.1-r22 apk CVE-2022-28391 High
busybox 1.31.1-r20 1.31.1-r21 apk CVE-2021-42381 High
expat 2.2.9-r1 2.2.10-r2 apk CVE-2022-25236 Critical
expat 2.2.9-r1 2.2.10-r1 apk CVE-2022-23990 High
expat 2.2.9-r1 2.2.10-r0 apk CVE-2022-22822 Critical
expat 2.2.9-r1 2.2.10-r1 apk CVE-2022-23852 Critical
expat 2.2.9-r1 2.2.10-r0 apk CVE-2022-22827 High
expat 2.2.9-r1 2.2.10-r0 apk CVE-2022-22823 Critical
expat 2.2.9-r1 2.2.10-r0 apk CVE-2022-22824 Critical
expat 2.2.9-r1 2.2.10-r2 apk CVE-2022-25235 Critical
expat 2.2.9-r1 2.2.10-r0 apk CVE-2021-45960 High
expat 2.2.9-r1 2.2.10-r0 apk CVE-2021-46143 High
expat 2.2.9-r1 2.2.10-r2 apk CVE-2022-25315 Critical
expat 2.2.9-r1 2.2.10-r0 apk CVE-2022-22825 High
expat 2.2.9-r1 2.2.10-r0 apk CVE-2022-22826 High
expat 2.2.9-r1 2.2.10-r2 apk CVE-2022-25314 High
expat 2.2.9-r1 2.2.10-r2 apk CVE-2022-25313 Medium
krb5-libs 1.18.3-r0 1.18.4-r0 apk CVE-2021-36222 High
krb5-libs 1.18.3-r0 1.18.5-r0 apk CVE-2021-37750 Medium
libcrypto1.1 1.1.1k-r0 1.1.1l-r0 apk CVE-2021-3712 High
libcrypto1.1 1.1.1k-r0 1.1.1n-r0 apk CVE-2022-0778 High
libcrypto1.1 1.1.1k-r0 1.1.1l-r0 apk CVE-2021-3711 Critical
libssl1.1 1.1.1k-r0 1.1.1n-r0 apk CVE-2022-0778 High
libssl1.1 1.1.1k-r0 1.1.1l-r0 apk CVE-2021-3711 Critical
libssl1.1 1.1.1k-r0 1.1.1l-r0 apk CVE-2021-3712 High
libuuid 2.35.2-r0 2.37.3-r0 apk CVE-2021-3996 Medium
libuuid 2.35.2-r0 2.37.4-r0 apk CVE-2022-0563 Medium
libuuid 2.35.2-r0 2.37.3-r0 apk CVE-2021-3995 Medium
ncurses-libs 6.2_p20200523-r0 6.2_p20200523-r1 apk CVE-2021-39537 High
ncurses-terminfo-base 6.2_p20200523-r0 6.2_p20200523-r1 apk CVE-2021-39537 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42379 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42383 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42386 High
ssl_client 1.31.1-r20 1.31.1-r22 apk CVE-2022-28391 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42381 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42384 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42382 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42380 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42374 Medium
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42378 High
ssl_client 1.31.1-r20 1.31.1-r21 apk CVE-2021-42385 High
xz-libs 5.2.5-r0 5.2.5-r1 apk CVE-2022-1271 High
zlib 1.2.11-r3 1.2.12-r2 apk CVE-2022-37434 Critical
zlib 1.2.11-r3 1.2.12-r0 apk CVE-2018-25032 High
Please upvote this issue if you want this addressed https://jira.atlassian.com/browse/OPSGENIE-1038
Hi @ilanKeshet , this issue is resolved now. Thank you!
Thank you 🙏