Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan docker images for vulnerabilities #3392

Closed
wants to merge 19 commits into from
Closed

Scan docker images for vulnerabilities #3392

wants to merge 19 commits into from

Conversation

EnricoMi
Copy link
Collaborator

@EnricoMi EnricoMi commented Jan 31, 2022
edited
Loading

This scans our to-be-released docker images for vulnerabilities. Results are reported to GitHub Security.

@EnricoMi EnricoMi force-pushed the branch-docker-vulnerability-scan branch 5 times, most recently from 4353bf6 to 7588cf5 Compare February 1, 2022 10:08
@crazy-max
Copy link

crazy-max commented Feb 1, 2022
edited
Loading

@EnricoMi For this error: https://github.com/horovod/horovod/runs/5019456769?check_suite_focus=true#step:8:21

Error: 2022-02-01T10:47:24.296Z	FATAL	scan error: image scan failed: failed analysis: analyze error: failed to analyze layer: sha256:209f02f28bcd94fbda5c57ffa46bc7f7f3ccd55530454ec1d07a4a35122acdbb : unable to get uncompressed layer sha256:209f02f28bcd94fbda5c57ffa46bc7f7f3ccd55530454ec1d07a4a35122acdbb: failed to get the layer (sha256:209f02f28bcd94fbda5c57ffa46bc7f7f3ccd55530454ec1d07a4a35122acdbb): unable to populate: unable to open: failed to copy the image: write /tmp/fanal-2740541230: no space left on device

Just add a step to remove dotnet for example (~23G): docker/build-push-action#321 (comment)

  -
    name: Remove dotnet
    run: sudo rm -rf /usr/share/dotnet
  -
    name: Scan for vulnerabilities
    id: scan
    uses: crazy-max/ghaction-container-scan@v1
    with:
      image: horovod/${{ matrix.docker-image }}:latest
      dockerfile: ./docker/${{ matrix.docker-image }}/Dockerfile
    env:
      TRIVY_TIMEOUT: 60m

Edit: added a note about that: https://github.com/crazy-max/ghaction-container-scan#failed-to-copy-the-image-write-tmpfanal-2740541230-no-space-left-on-device

@EnricoMi
Copy link
Collaborator Author

EnricoMi commented Feb 1, 2022

Thanks, I am already deleting it, among others:

/usr/share/dotnet
/usr/local/lib/android
/opt/ghc

Otherwise I would not be able to build the image in the first place.

Now, the scanning needs more disk space, which I am currently trying to find more directories to delete.

Thanks for looking into this, though!

@EnricoMi EnricoMi force-pushed the branch-docker-vulnerability-scan branch from 7588cf5 to 4ca18dd Compare February 1, 2022 14:23
@EnricoMi
Copy link
Collaborator Author

EnricoMi commented Feb 1, 2022

Little remark @crazy-max, /usr/share/dotnet consumes only 4.1GB on Ubuntu 20.04: https://github.com/horovod/horovod/runs/5022621213?check_suite_focus=true#step:6:55

Other paths:

  • /usr/local/lib/android occupies 15GB
  • /opt/hostedtoolcache/CodeQL another 2GB
  • /opt/hostedtoolcache/go has 1.2 GB

@EnricoMi EnricoMi force-pushed the branch-docker-vulnerability-scan branch 5 times, most recently from cf16f55 to 42e4955 Compare February 5, 2022 19:08
@github-actions
Copy link

github-actions bot commented Feb 26, 2022
edited
Loading

Unit Test Results

     792 files   -   38       792 suites   - 38   9h 14m 24s ⏱️ - 44m 38s
     722 tests ±    0       679 ✔️ ±    0       43 💤 ±    0  0 ±0 
17 222 runs   - 815  12 266 ✔️  - 550  4 956 💤  - 265  0 ±0 

Results for commit 3a812bb. ± Comparison against base commit 2df6e1e.

♻️ This comment has been updated with latest results.

@github-actions
Copy link

github-actions bot commented Feb 26, 2022
edited
Loading

Unit Test Results (with flaky tests)

     912 files   -     8       912 suites   - 8   9h 57m 34s ⏱️ - 27m 26s
     722 tests ±    0       678 ✔️ ±  0       43 💤 ±  0  1 ±0 
19 844 runs   - 146  13 956 ✔️  - 67  5 887 💤  - 79  1 ±0 

For more details on these failures, see this check.

Results for commit 3a812bb. ± Comparison against base commit 2df6e1e.

♻️ This comment has been updated with latest results.

@EnricoMi EnricoMi force-pushed the branch-docker-vulnerability-scan branch from e0f66aa to 4a88b79 Compare March 1, 2022 16:16
@EnricoMi
Scan docker images for vulnerabilities
161d14d 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Modify the image tag for the scan
53d34e2 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Cleanup more disk space, fix sarif file path
e9f38f0 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Set trivy timeout to 30m
0490f7c 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Delete more directories
9e91f8a 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Prune docker before scanning
c1c1a14 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Use --timeout rather than TRIVY_TIMEOUT
29ddd3a 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Scan the pushed image, don't build twice
073005b 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Do not docker prune, don't show final free disk
50365e9 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Use TRIVY_TIMEOUT rather than --timeout, now that it has been fixed
4caf634 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Scan the correct image
2917fa1 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Move to docker/metadata-action@v3
c4a6268 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Upgrade framework versions in released docker images
05d6f7a 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Remove Spark from released Docker images
0a80eb9 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Upgrade tensorflow to 2.8.0
2653160 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Do not scan horovod-ray
27d6890 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Upgrade vulnerable Ubuntu packages
b4bcd92 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi
Add vulenrability section to docs
6aa1177 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi EnricoMi marked this pull request as ready for review March 2, 2022 22:23
@EnricoMi EnricoMi force-pushed the branch-docker-vulnerability-scan branch from 4a88b79 to 5161ada Compare March 2, 2022 22:24
@EnricoMi
Pin torch lightning to 1.3.8, use +cpu versions in horovod-cpu
3a812bb 
Signed-off-by: Enrico Minack <github@enrico.minack.dev>
@EnricoMi EnricoMi force-pushed the branch-docker-vulnerability-scan branch from 5161ada to 3a812bb Compare March 3, 2022 07:59
@stale
Copy link

stale bot commented May 5, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label May 5, 2022
@stale stale bot closed this May 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgaddair tgaddair Awaiting requested review from tgaddair

@maxhgerlach maxhgerlach Awaiting requested review from maxhgerlach

Assignees
No one assigned
Labels
wontfix
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@EnricoMi @crazy-max