hub image: run apt-get upgrade by default to patch known vulns #2304
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The official
ubuntu
image that we use as a base image forhub
isn't updated so often, but various libraries in ubuntu are updated more often, where they also quite often have fixes to known vulnerabilities in them.We have a system to detect if rebuilding the image fixes some known vulnerabilities, but in practice it requires a new ubuntu image to have been released - which is too seldom. So perhaps its worth doing
apt-get upgrade -y
to patch some known vulnerabilities in between the ubuntu image is updated?Image size?
I observed the image size grow from 625 to 631 which I assume is because some packages were upgraded, but overall it doesn't seem to make it grow substantially so I think this is worth it to more or less always end up with no known vulnerabilities whenever we rebuild the image.
Fixes known vulns?
I confirmed with trivy that doing this fixed known vulns that is observed for example in #2269 to be unfixed after a rebuild.