Generate a report of vulnerabilities for Kubeflow images #3907
Comments
|
Issue-Label Bot is automatically applying the label Links: app homepage, dashboard and code for this bot. |
|
/area manifests |
|
Is this a duplicate of kubeflow/testing#421 |
jlewi
changed the title
|
Vulnerability scanning is turned on in our GCR repositories. I think the next step would be to generate a report with a list of all the vulnerabilities for different images. I imagine the list of vulnerabilities can be fetched via GCP API from the GCR repository (tutorial). We probably don't want to look at all images in the registry but instead look through the applications based on kubeflow/manifests; identify the images for different applications and generate a list of vulnerabilities for those docker images. To start I would suggest focusing on the applications that are in scope for 1.0. List of applications in scope for 1.0. It would be great to look at the associated images and open up issues for any ones that have vulnerabilities that need to be fixed. @elviraux is this something you could help with? |
|
@jlewi 👍🏻 |
|
It looks like GCR will automatically show a list of vulnerabilities a long with the severity and whether there are fixes available. This is available just by going to the publicly accessible link. http://gcr.io/kubeflow-images-public/tensorflow-1.13.1-notebook-gpu Here's a screenshot This means for any images we build users can get a report just by going to the GCR link for the image. This wouldn't apply to images that we pull from other repositories like DockerHub/Quay (e.g. for Argo etc...). For 1.0 this seems reasonable to me because we are covering only the applications specifically built and maintained by the Kubeflow community. |
|
Do we need some privileges to see the vulnerabilities? |
|
@nrchakradhar Looks like you are right; the vulnerabilities aren't publicly visible. So we'll probably need to write some script to fetch them via API and publish them as a markdown doc. |
|
This page has scripts: https://cloud.google.com/container-registry/docs/get-image-vulnerabilities |
|
Started work on a CLI tool to fetch them via API: |
|
@swiftdiaries any update? |
|
I'm trying to setup a static site that would show vulnerabilities with the images. I hope to get it done by the end of the week. |
|
@swiftdiaries did you consider just checking in HTML or other output into GitHub? |
|
We do have one here from the tool: |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
|
/lifecycle frozen |
|
Would this be covered by #5470? |
It will not. |
|
@naveensrinivasan I should have been more specific. What I should have said was, would the kubeflow/kubeflow repo be covered by your PR? |
|
/close done by @difince and merged to master |
|
@juliusvonkohout: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Link to the script that reports all images. |
|
/reopen then for @difince |
|
@juliusvonkohout: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/close this belongs to kubeflow/manifests and we have a GSOC student working on automatic CVE scanning with trivy |
|
@juliusvonkohout: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Every kubeflow image should be scanned for security vulnerabilities.
It would be great to have a periodic security report.
Each of these images with vulnerability should be patched and updated.
The text was updated successfully, but these errors were encountered: