Skip to content
This repository has been archived by the owner on Oct 2, 2023. It is now read-only.

Outdated distroless base image version has many CVEs #2204

Open
jtse opened this issue Jan 4, 2023 · 6 comments
Open

Outdated distroless base image version has many CVEs #2204

jtse opened this issue Jan 4, 2023 · 6 comments

Comments

@jtse
Copy link

jtse commented Jan 4, 2023

🐞 bug report

Affected Rule

The issue affects go_image, cc_image and probably other *_images.

Is this a regression?

Not really.

Description

The current release v0.25.0 references old versions of distroless base images (2021-12). Users who are building off the default base images are inadvertently using 1+ year old distroless that contain many CVEs. Specifically, this affects users who are copy-pasting

load(
    "@io_bazel_rules_docker//go:image.bzl",
    _go_image_repos = "repositories",
)

_go_image_repos()

And not specifying a base = ... in their go_image.

Please release a new version of rules_docker with updated the distroless image version.

Alternatively, remove repositories() from go:image.bzl and others. This will mean that users will have to explicitly specify a base image/version.

🔬 Minimal Reproduction

  1. Follow the instructions on https://github.com/bazelbuild/rules_docker#go_image to build a go_image without specifying a base = ...

  2. Upload the go_image to Google Container Repository.

🔥 Exception or Error

Google Container Repository reports the following CVEs:

CVE-2022-1292 Critical 10 Yes openssl OS
CVE-2022-2068 Critical 10 Yes openssl OS
CVE-2022-23219 High 7.5 Yes glibc OS
CVE-2021-3999 High 7.8 Yes glibc OS
CVE-2021-33574 High 7.5 Yes glibc OS
CVE-2022-23218 High 7.5 Yes glibc OS
CVE-2021-4160 Medium 4.3 Yes openssl OS
CVE-2022-2097 Medium 5 – openssl OS
CVE-2022-0778 Medium 5 Yes openssl OS
CVE-2019-1010023 Low 6.8 – glibc OS
CVE-2021-43396 Low 5 Yes glibc OS
CVE-2019-1010022 Low 7.5 – glibc OS
CVE-2018-20796 Low 5 – glibc OS
CVE-2010-0928 Low 4 – openssl OS
CVE-2007-6755 Low 5.8 – openssl OS
CVE-2019-9192 Low 5 – glibc OS
CVE-2010-4756 Low 4 – glibc OS
CVE-2019-1010024 Low 5 – glibc OS
CVE-2019-1010025 Low 5 – glibc OS

🌍 Your Environment

Operating System:

  
  N/A
  

Output of bazel version:

  
  N/A
  

Rules_docker version:

  
  v0.25.0 -- latest as of 2023-01-04
  

Anything else relevant?

@sudoforge
Copy link

I'd be a big fan of requiring users to set an explicit base. I'll submit a PR for this later today.

@ensonic
Copy link
Contributor

ensonic commented Feb 2, 2023

@sudoforge did you submit a PR. is your proposal to let users specify the distroless base inter WORKSPACE (repository rule) or on each xx_image rule?

@ensonic
Copy link
Contributor

ensonic commented Feb 20, 2023

What about a release with freshly bumped base to buy some time. In the current form the rules are unusable :/

@alexeagle
Copy link
Collaborator

FWIW, rules_oci has convenient logic for you just specify latest in the oci_pull rule and it gives you the command to "repin" it https://github.com/bazel-contrib/rules_oci/blob/main/oci/pull.bzl#L372-L378

@github-actions
Copy link

github-actions bot commented Sep 9, 2023

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs in 30 days.
Collaborators can add an assignee to keep this open indefinitely. Thanks for your contributions to rules_docker!

@github-actions github-actions bot added the Can Close? Will close in 30 days unless there is a comment indicating why not label Sep 9, 2023
@ensonic
Copy link
Contributor

ensonic commented Sep 11, 2023

The issue is still there, but we've switched to rules_oci entirely.

@github-actions github-actions bot removed the Can Close? Will close in 30 days unless there is a comment indicating why not label Sep 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants