Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cartservice: alpine --> noble-chiseled #2568

Merged
merged 2 commits into from
May 30, 2024
Merged

cartservice: alpine --> noble-chiseled #2568

merged 2 commits into from
May 30, 2024

Conversation

mathieu-benoit
Copy link
Contributor

@mathieu-benoit mathieu-benoit commented May 30, 2024
edited
Loading

For cartservice, moving from alpine to chiseled (i.e. distroless).

Resources:

Size (+4 MB)

  • Before: 110 MB
  • After: 114 MB --> +4 MB, that's nothing for all the benefits!

Packages (-10 packages)

Note: syft was used.

Before:

✔ Packages                               [17 packages]
   ├── ✔ File digests                    [81 files]
   ├── ✔ File metadata                   [81 locations]
   └── ✔ Executables                     [20 executables]
NAME                    VERSION                 TYPE
alpine-baselayout       3.4.3-r1                apk
alpine-baselayout-data  3.4.3-r1                apk
alpine-keys             2.4-r1                  apk
apk-tools               2.14.0-r2               apk
busybox                 1.36.1-r5               apk
busybox-binsh           1.36.1-r5               apk
ca-certificates-bundle  20240226-r0             apk
libc-utils              0.7.2-r5                apk
libcrypto3              3.1.4-r5                apk
libgcc                  12.2.1_git20220924-r10  apk
libssl3                 3.1.4-r5                apk
libstdc++               12.2.1_git20220924-r10  apk
musl                    1.2.4-r2                apk
musl-utils              1.2.4-r2                apk
scanelf                 1.3.7-r1                apk
ssl_client              1.36.1-r5               apk
zlib                    1.2.13-r1               apk

After:

✔ Packages                               [7 packages]
   └── ✔ Executables                     [30 executables]
NAME             VERSION                TYPE
base-files       13ubuntu10             deb
ca-certificates  20240203               deb
libc6            2.39-0ubuntu8.1        deb
libgcc-s1        14-20240412-0ubuntu1   deb
libssl3t64       3.0.13-0ubuntu3.1      deb
libstdc++6       14-20240412-0ubuntu1   deb
zlib1g           1:1.3.dfsg-3.1ubuntu2  deb

CVEs (+2 LOW and -5 MEDIUM)

Note: trivy was used.

Before:

gcr.io/google-samples/microservices-demo/cartservice:v0.10.0 (alpine 3.18.6)

Total: 7 (UNKNOWN: 0, LOW: 2, MEDIUM: 5, HIGH: 0, CRITICAL: 0)

┌───────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│    Library    │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├───────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ busybox       │ CVE-2023-42366 │ MEDIUM   │ fixed  │ 1.36.1-r5         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                           │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
├───────────────┤                │          │        │                   │               │                                                           │
│ busybox-binsh │                │          │        │                   │               │                                                           │
│               │                │          │        │                   │               │                                                           │
├───────────────┼────────────────┤          │        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcrypto3    │ CVE-2024-4603  │          │        │ 3.1.4-r5          │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
│               │                │          │        │                   │               │ parameters                                                │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│               │                │          │        │                   │               │ TLSv1.3                                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├───────────────┼────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ libssl3       │ CVE-2024-4603  │ MEDIUM   │        │                   │ 3.1.5-r0      │ openssl: Excessive time spent checking DSA keys and       │
│               │                │          │        │                   │               │ parameters                                                │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                 │
│               ├────────────────┼──────────┤        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│               │ CVE-2024-2511  │ LOW      │        │                   │ 3.1.4-r6      │ openssl: Unbounded memory growth with session handling in │
│               │                │          │        │                   │               │ TLSv1.3                                                   │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                 │
├───────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ ssl_client    │ CVE-2023-42366 │ MEDIUM   │        │ 1.36.1-r5         │ 1.36.1-r6     │ busybox: A heap-buffer-overflow                           │
│               │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-42366                │
└───────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

After:

gcr.io/online-boutique-ci/refs/pull/2568/cartservice:2568 (ubuntu 24.04)

Total: 4 (UNKNOWN: 0, LOW: 4, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌────────────┬────────────────┬──────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability  │ Severity │  Status  │ Installed Version │ Fixed Version │                           Title                            │
├────────────┼────────────────┼──────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libc6      │ CVE-2016-20013 │ LOW      │ affected │ 2.39-0ubuntu8.1   │               │ sha256crypt and sha512crypt through 0.6 allow attackers to │
│            │                │          │          │                   │               │ cause a denial of...                                       │
│            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2016-20013                 │
├────────────┼────────────────┤          │          ├───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ libssl3t64 │ CVE-2024-2511  │          │          │ 3.0.13-0ubuntu3.1 │               │ openssl: Unbounded memory growth with session handling in  │
│            │                │          │          │                   │               │ TLSv1.3                                                    │
│            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-2511                  │
│            ├────────────────┤          │          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2024-4603  │          │          │                   │               │ openssl: Excessive time spent checking DSA keys and        │
│            │                │          │          │                   │               │ parameters                                                 │
│            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4603                  │
│            ├────────────────┤          │          │                   ├───────────────┼────────────────────────────────────────────────────────────┤
│            │ CVE-2024-4741  │          │          │                   │               │ openssl: Use After Free with SSL_free_buffers              │
│            │                │          │          │                   │               │ https://avd.aquasec.com/nvd/cve-2024-4741                  │
└────────────┴────────────────┴──────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

@mathieu-benoit mathieu-benoit marked this pull request as draft May 30, 2024 20:44
@mathieu-benoit mathieu-benoit mentioned this pull request May 30, 2024
Closed
@mathieu-benoit mathieu-benoit marked this pull request as ready for review May 30, 2024 21:30
@mathieu-benoit
Copy link
Contributor Author

Ready for your review, thanks!

@NimJay
Copy link
Collaborator

NimJay commented May 30, 2024

Thanks, @mathieu-benoit! Looks great.

@NimJay NimJay merged commit 5dc6736 into GoogleCloudPlatform:main May 30, 2024
6 checks passed
@mathieu-benoit mathieu-benoit deleted the patch-2 branch May 30, 2024 21:58
This was referenced May 30, 2024
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NimJay NimJay NimJay approved these changes

@yoshi-approver yoshi-approver Awaiting requested review from yoshi-approver yoshi-approver is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mathieu-benoit @NimJay