Skip to content

Automatically updating dependencies in docker build#74

Merged
eli-darkly merged 1 commit intolaunchdarkly:contribfrom
e96wic:dependency-upgrade
Sep 19, 2019
Merged

Automatically updating dependencies in docker build#74
eli-darkly merged 1 commit intolaunchdarkly:contribfrom
e96wic:dependency-upgrade

Conversation

@e96wic
Copy link

@e96wic e96wic commented Sep 16, 2019

No description provided.

@bwoskow-ld
Copy link
Member

bwoskow-ld commented Sep 16, 2019

Hi @e96wic,

Thanks for your submission!

In general, I have a concern about modifying the Dockerfile such that it can automatically update dependencies. With this change, it would theoretically be possible for the Docker image to work properly for some period of time, and then at a later time (after some dependency updates were detected and installed), for the image to stop functioning correctly. I would much prefer for dependencies to be updated through upgrading to a newer base image.

Is there a specific dependency you're looking to upgrade, and if so, which one and why?

Cheers,
Ben

@e96wic
Copy link
Author

e96wic commented Sep 17, 2019

Hi @bwoskow-ld,

our internal monitoring showed that the 5.6.1 image has 3 vulnerabilities:
musl (used in musl-utils, musl) version 1.1.18-r3 has 1 vulnerability (CVE-2019-14697)
busybox (used in ssl_client, busybox) version 1.27.2-r11 has 2 vulnerabilities (CVE-2018-20679)

I managed to fix the first one with this commit. I just saw that you're using alpine as base image for the final container. I overlooked that when I created the PR. I'll give updating that one a shot!

@e96wic
Copy link
Author

e96wic commented Sep 17, 2019

That actually fixed all the security issues. :)

@bwoskow-ld
Copy link
Member

bwoskow-ld commented Sep 17, 2019

Excellent! The updated changes are more in line with what I'd expect.

We currently have a test failure on our Go 1.8 CI branch due to a known issue -- we're using a dependency with an unpinned version, and the latest version of that dependency introduced an incompatibility with Go 1.8. As soon as we fix that issue, we'll be able to verify that bumping to the new alpine base image version is fine and move forward with your pull request.

@bwoskow-ld bwoskow-ld changed the base branch from v5 to contrib September 17, 2019 23:51
@eli-darkly eli-darkly merged commit f8b7aa0 into launchdarkly:contrib Sep 19, 2019
@LaunchDarklyCI LaunchDarklyCI mentioned this pull request Sep 19, 2019
Merged
@e96wic e96wic deleted the dependency-upgrade branch September 19, 2019 07:42
@ccgagnon
Copy link

ccgagnon commented Oct 31, 2019

Hi, is this alpine image version bump will go in the next release soon? CVE-2019-14697 is big concern for us and we will not use this in prod until it's fixed.

@bwoskow-ld
Copy link
Member

bwoskow-ld commented Oct 31, 2019

@ccgagnon -- this was released in 5.7.0.

@ccgagnon
Copy link

ccgagnon commented Nov 1, 2019

@bwoskow-ld Our internal monitoring still detect CVE-2019-14697 in the latest 5.8.0 image. Does Dockerfile.goreleaser should also be updated with alpine 3.10.2?

@bwoskow-ld
Copy link
Member

bwoskow-ld commented Nov 5, 2019

@ccgagnon you're right -- this should be updated in Dockerfile.goreleaser for the change to take effect. This is the dockerfile used for released artifacts. The dockerfile updated in this pull request is only used for development purposes.

I'll commit this change and will include it in the next Relay release.

@bwoskow-ld
Copy link
Member

bwoskow-ld commented Nov 5, 2019

@ccgagnon this is fixed in 5.8.1.

@ccgagnon
Copy link

ccgagnon commented Nov 7, 2019

Thx @bwoskow-ld!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@e96wic @bwoskow-ld @ccgagnon @eli-darkly