Update images to address CVEs 24.01.23
Closed this issue · 7 comments
i-chvets commented
Address CVEs 24.0.1.23
Initial CVE scans report
All images rebuilt in current state as of 24.01.23
CRITICAL=39 HIGH=188 MEDIUM=573 LOW=34
Excluding builder images
CRITICAL=11 HIGH=97 MEDIUM=496 LOW=16
Initial detailed report per image
| IMAGE | BASE | CRITICAL | HIGH | MEDIUM | LOW |
|---|---|---|---|---|---|
| notebook-controller:v1.6.1 | debian:11.6 | 0 | 6 | 2 | 0 |
| jupyter-web-app:v1.6.1 | debian:10.13 | 1 | 1 | 0 | 0 |
| jupyter-tensorflow-cuda-full:v1.6.1 | ubuntu:20.04 | 2 | 38 | 149 | 4 |
| jupyter-tensorflow-full:v1.6.1 | ubuntu:20.04 | 0 | 6 | 98 | 4 |
| jupyter-tensorflow-cuda:v1.6.1 | ubuntu:20.04 | 2 | 38 | 149 | 4 |
| jupyter-tensorflow:v1.6.1 | ubuntu:20.04 | 0 | 6 | 98 | 4 |
| jupyter-pytorch-cuda-full:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-pytorch-full:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-pytorch-cuda:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-pytorch:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 0 |
| jupyter-scipy:v1.6.1 | ubuntu:20.04 | 1 | 1 | 0 | 0 |
| jupyter:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| base:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| gcr.io/distroless/base:debug (base) | debian:11.6 | 0 | 0 | 0 | 0 |
| ubuntu:20.04 (base) | ubuntu:20.04 | 0 | 0 | 0 | 0 |
| python:3.7-slim-buster (builder/base) | debian:10.13 | 1 | 1 | 0 | 0 |
| golang:1.17 (builder) | debian:11.4 | 15 | 70 | 66 | 13 |
| node:12-buster-slim (builder) | debian:10.12 | 13 | 21 | 11 | 5 |
| Totals: | 39 | 188 | 573 | 34 |
Implementation details
- Some images that included in scans are used to build the component. The packaging is done using base image which might be different.
v1.17vsv1.19changes caused problem ingo mod downloadcommand:
If the main module's go.mod file specifies go 1.17 or higher, go mod download without arguments now downloads source code for only the modules explicitly required in the main module's go.mod file. (In a go 1.17 or higher module, that set already includes all dependencies needed to build the packages and tests in the main module.) To also download source code for transitive dependencies, use go mod download all.
Had to change togo mod download allto build container properly.
Testing
Integration testing needs to pass after any updates.
i-chvets commented
Trivy report as 24.01.23.
trivy-reports.zip
i-chvets commented
Applied suggested fixes.
Detailer report per image
Tag: v1.6.1
Date: 2023.1.25
CVEs per image:
| IMAGE | BASE | CRITICAL | HIGH | MEDIUM | LOW |
|---|---|---|---|---|---|
| notebook-controller:v1.6.1 | debian:11.6 | 0 | 6 | 2 | 0 |
| jupyter-web-app:v1.6.1 | debian:11.6 | 0 | 1 | 0 | 0 |
| jupyter-tensorflow-cuda-full:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 4 |
| jupyter-tensorflow-full:v1.6.1 | ubuntu:20.04 | 0 | 6 | 98 | 8 |
| jupyter-tensorflow-cuda:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 4 |
| jupyter-tensorflow:v1.6.1 | ubuntu:20.04 | 0 | 6 | 98 | 8 |
| jupyter-pytorch-cuda-full:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 4 |
| jupyter-pytorch-full:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 4 |
| jupyter-pytorch-cuda:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 4 |
| jupyter-pytorch:v1.6.1 | ubuntu:20.04 | 1 | 0 | 0 | 4 |
| jupyter-scipy:v1.6.1 | ubuntu:20.04 | 0 | 1 | 0 | 4 |
| jupyter:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 4 |
| base:v1.6.1 | ubuntu:20.04 | 0 | 0 | 0 | 4 |
| gcr.io/distroless/base:debug (base) | debian:11.6 | 0 | 0 | 0 | 0 |
| ubuntu:20.04 (base) | ubuntu:20.04 | 0 | 0 | 0 | 4 |
| python:3.7-slim-bullseye (base) | debian:11.6 | 0 | 1 | 0 | 0 |
| python:3.7-slim-buster (builder) | debian:10.13 | 1 | 1 | 0 | 0 |
| golang:1.19 (builder) | debian:11.6 | 0 | 5 | 6 | 0 |
| node:12-buster-slim (builder) | debian:10.12 | 13 | 21 | 11 | 5 |
| Totals: | 18 | 48 | 215 | 61 |
i-chvets commented
Trivy reports as of 25.01.23
trivy-reports.zip
i-chvets commented
Updated selected images are published https://hub.docker.com/repositories/charmedkubeflow
i-chvets commented
1 (one) unfixed Critical CVE-2022-45907 in jupyter-pytorch:v1.6.1 related to AMD GPU support. It is fixable by updating the library. Could not find the way to do it properly in this case.
{
"Target": "Python",
"Class": "lang-pkgs",
"Type": "python-pkg",
"Vulnerabilities": [
{
"VulnerabilityID": "CVE-2022-45907",
"PkgName": "torch",
"PkgPath": "opt/conda/lib/python3.8/site-packages/torch-1.8.1+rocm4.0.1.dist-info/METADATA",
"InstalledVersion": "1.8.1+rocm4.0.1",
"FixedVersion": "1.13.1",
"Layer": {
"DiffID": "sha256:b43bfa2263ce2aca198dd2d5e2fbef7d373f12004eb7116b230bd424773c8e9f"
},
"SeveritySource": "ghsa",
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-45907",
"DataSource": {
"ID": "ghsa",
"Name": "GitHub Security Advisory Pip",
"URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
},
"Title": "In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line c ...",
"Description": "In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely.",
"Severity": "CRITICAL",
"CweIDs": [
"CWE-77"
],
"CVSS": {
"ghsa": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 9.8
},
"nvd": {
"V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"V3Score": 9.8
}
},
"References": [
"https://github.com/advisories/GHSA-47fc-vmwq-366v",
"https://github.com/pytorch/pytorch/commit/767f6aa49fe20a2766b9843d01e3b7f7793df6a3",
"https://github.com/pytorch/pytorch/issues/88868",
"https://github.com/pytorch/pytorch/issues/89855",
"https://github.com/pytorch/pytorch/pull/89189",
"https://github.com/pytorch/pytorch/releases/tag/v1.13.1",
"https://nvd.nist.gov/vuln/detail/CVE-2022-45907"
],
"PublishedDate": "2022-11-26T02:15:00Z",
"LastModifiedDate": "2022-11-28T19:25:00Z"
}
]
}
i-chvets commented
Integration tests with updated containers:
charms/jupyter-controller/metadata.yaml
oci-image:
type: oci-image
description: 'Backing OCI image'
- upstream-source: docker.io/kubeflownotebookswg/notebook-controller:v1.6.1
+ upstream-source: registry.hub.docker.com/charmedkubeflow/notebook-controller:v1.6.1
deployment:
type: stateless
service: omit
charms/jupyter-ui/metadata.yaml
oci-image:
type: oci-image
description: 'Backing OCI image'
- upstream-source: docker.io/kubeflownotebookswg/jupyter-web-app:v1.6.1
+ upstream-source: registry.hub.docker.com/charmedkubeflow/jupyter-web-app:v1.6.1
requires:
ingress:
interface: ingress
============================================ test session starts =============================================
platform linux -- Python 3.8.16, pytest-7.2.0, pluggy-1.0.0 -- /home/ichvets/cw/dev/notebook-operators/.tox/integration/bin/python
cachedir: .tox/integration/.pytest_cache
rootdir: /home/ichvets/cw/dev/notebook-operators
plugins: operator-0.22.0, anyio-3.6.2, asyncio-0.20.3
asyncio: mode=auto
collecting ... collected 3 items
tests/test_charms.py::test_build_and_deploy
----------------------------------------------- live log setup -----------------------------------------------
INFO pytest_operator.plugin:plugin.py:653 Connecting to existing model uk8s:kubeflow on unspecified cloud
----------------------------------------------- live log call ------------------------------------------------
INFO pytest_operator.plugin:plugin.py:504 Using tmp_path: /home/ichvets/cw/dev/notebook-operators/.tox/integration/tmp/pytest/kubeflow0
INFO pytest_operator.plugin:plugin.py:948 Building charm jupyter-controller
INFO pytest_operator.plugin:plugin.py:953 Built charm jupyter-controller in 14.27s
INFO pytest_operator.plugin:plugin.py:504 Using tmp_path: /home/ichvets/cw/dev/notebook-operators/.tox/integration/tmp/pytest/kubeflow0
INFO pytest_operator.plugin:plugin.py:948 Building charm jupyter-ui
INFO pytest_operator.plugin:plugin.py:953 Built charm jupyter-ui in 17.85s
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/istio-pilot-251
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/istio-gateway-239
INFO juju.model:model.py:2715 Waiting for model:
istio-pilot/0 [allocating] waiting: installing agent
istio-ingressgateway/0 [allocating] waiting: installing agent
INFO juju.model:model.py:2715 Waiting for model:
istio-pilot/0 [allocating] waiting: agent initializing
istio-ingressgateway/0 [allocating] waiting: agent initializing
INFO juju.model:model.py:2715 Waiting for model:
istio-pilot/0 [idle] active:
istio-ingressgateway/0 [idle] active:
INFO juju.model:model.py:2088 Deploying local:focal/jupyter-ui-0
INFO juju.model:model.py:2715 Waiting for model:
jupyter-ui/0 [allocating] waiting: installing agent
INFO juju.model:model.py:2715 Waiting for model:
jupyter-ui/0 [executing] active:
INFO juju.model:model.py:2088 Deploying local:kubernetes/jupyter-controller-0
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/admission-webhook-80
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/kubeflow-profiles-94
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/kubeflow-dashboard-205
INFO juju.model:model.py:2715 Waiting for model:
istio-pilot/0 [idle] active:
istio-ingressgateway/0 [idle] active:
jupyter-ui/0 [idle] active:
jupyter-controller/0 [allocating] waiting: installing agent
admission-webhook/0 [allocating] waiting: installing agent
kubeflow-profiles/0 [allocating] waiting: installing agent
kubeflow-dashboard/0 [allocating] waiting: installing agent
INFO juju.model:model.py:2715 Waiting for model:
jupyter-controller/0 [executing] active:
admission-webhook/0 [executing] maintenance: installing charm software
kubeflow-profiles/0 [allocating] waiting: agent initializing
kubeflow-dashboard/0 [allocating] waiting: agent initializing
INFO juju.model:model.py:2715 Waiting for model:
kubeflow-profiles/0 [idle] active:
kubeflow-dashboard/0 [idle] active:
PASSED
tests/test_charms.py::test_prometheus_grafana_integration
----------------------------------------------- live log call ------------------------------------------------
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/prometheus-k8s-101
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/grafana-k8s-63
INFO juju.model:model.py:2088 Deploying ch:amd64/focal/prometheus-scrape-config-k8s-39
INFO juju.model:model.py:2715 Waiting for model:
istio-pilot/0 [idle] active:
istio-ingressgateway/0 [idle] active:
jupyter-ui/0 [idle] active:
jupyter-controller/0 [executing] active:
admission-webhook/0 [idle] active:
kubeflow-profiles/0 [idle] active:
kubeflow-dashboard/0 [idle] active:
prometheus-k8s/0 [allocating] waiting: agent initializing
grafana-k8s/0 [allocating] waiting: installing agent
prometheus-scrape-config-k8s/0 [allocating] waiting: installing agent
INFO juju.model:model.py:2715 Waiting for model:
jupyter-controller/0 [idle] active:
prometheus-k8s/0 [idle] waiting: Waiting for resource limit patch to apply
grafana-k8s/0 [allocating] waiting: agent initializing
prometheus-scrape-config-k8s/0 [executing] active:
INFO juju.model:model.py:2715 Waiting for model:
jupyter-controller/0 [idle] active:
prometheus-k8s/0 [idle] active:
grafana-k8s/0 [idle] unknown:
INFO juju.model:model.py:2715 Waiting for model:
grafana-k8s/0 [idle] unknown:
INFO juju.model:model.py:2715 Waiting for model:
grafana-k8s/0 [executing] maintenance:
INFO juju.model:model.py:2715 Waiting for model:
grafana-k8s/0 [executing] active:
INFO test_charms:test_charms.py:303 Prometheus available at http://10.1.59.90:9090
INFO test_charms:test_charms.py:306 Testing prometheus deployment (attempt 1)
INFO test_charms:test_charms.py:316 Response status is success
PASSED
--------------------------------------------- live log teardown ----------------------------------------------
INFO pytest_operator.plugin:plugin.py:768 Model status:
Model Controller Cloud/Region Version SLA Timestamp
kubeflow uk8s microk8s/localhost 2.9.34 unsupported 20:11:13-05:00
App Version Status Scale Charm Channel Rev Address Exposed Message
admission-webhook res:oci-image@129fe92 active 1 admission-webhook edge 80 10.152.183.199 no
grafana-k8s 9.2.1 active 1 grafana-k8s edge 63 10.152.183.82 no
istio-ingressgateway active 1 istio-gateway edge 239 10.152.183.3 no
istio-pilot active 1 istio-pilot edge 251 10.152.183.81 no
jupyter-controller .../notebook-controller:v1.6.1 active 1 jupyter-controller 0 no
jupyter-ui active 1 jupyter-ui 0 10.152.183.219 no
kubeflow-dashboard active 1 kubeflow-dashboard edge 205 10.152.183.163 no
kubeflow-profiles res:profile-image@cfd6935 active 1 kubeflow-profiles 1.6/edge 94 10.152.183.70 no
prometheus-k8s 2.33.5 active 1 prometheus-k8s edge 101 10.152.183.38 no
prometheus-scrape-config-k8s n/a active 1 prometheus-scrape-config-k8s beta 39 10.152.183.5 no
Unit Workload Agent Address Ports Message
admission-webhook/0* active idle 10.1.59.85 4443/TCP
grafana-k8s/0* active idle 10.1.59.91
istio-ingressgateway/0* active idle 10.1.59.76
istio-pilot/0* active idle 10.1.59.75
jupyter-controller/0* active idle 10.1.59.84
jupyter-ui/0* active idle 10.1.59.79
kubeflow-dashboard/0* active idle 10.1.59.83
kubeflow-profiles/0* active idle 10.1.59.86 8080/TCP,8081/TCP
prometheus-k8s/0* active idle 10.1.59.90
prometheus-scrape-config-k8s/0* active idle 10.1.59.89
INFO pytest_operator.plugin:plugin.py:774 Juju error logs:
INFO pytest_operator.plugin:plugin.py:839 Forgetting main...
================================== 2 passed in 472.61s (0:07:52) ==================================
integration: OK (473.22=setup[0.04]+cmd[473.19] seconds)
congratulations :) (473.27 seconds)
i-chvets commented
First iteration is complete. Closing.