GCR detects vulnerabilities (0 critical) in elsdoerfer/k8s-snapshots:v2.0

[mrtyler]

This is mostly an FYI for the maintainers and for users that the current upstream v2.0 image has some vulnerabilities according to the Google Container Registry vulnerability scanner:

Critical 0
High 176
Medium 457

Certainly, some of these vulnerabilities are not meaningful in the context of a Docker container running k8s-snapshots, e.g. an openssh vulnerability which "allows remote attackers to execute arbitrary local PKCS#11 modules by leveraging control over a forwarded agent-socket".

I rebuilt current master (b21015c) on top of the latest python:3.6 image. Doing this reduces the total to High 26, Medium 147.

I tried to build current master with python:3.6-alpine but it didn't work (I didn't dig any further):

ERROR: Could not build wheels for aiohttp which use PEP 517 and cannot be installed directly

I also tried with python:37-alpine (same buildtime error as above) and python:37 (runtime error: TypeError: 'async for' received an object from _aiter_ that does not implement _anext_: generator).

Feel free to close this if it isn't helpful. My team thought we should pass on what we'd noticed and learned. Thanks for k8s-snapshots. :)

[glesperance]

@mrtyler have you tried using the dev image instead? the 2.0 tag seems to be really outdated.

[glesperance]

Actually @mrtyler I managed to make it work with alpine ; see PR #82

[miracle2k]

Thanks for the PR, I've merged it. I'm not sure about how feasible it is chase the security scanner reports, since as you say, some of them may not be applicable/exploitable, but certainly some might be, and we should rebuild the image regularly with available fixes.

I am assuming with an alpine-base and the latest versions, the situation now looks better, but please open another PR if more can be done.