alpine image security updates/upgrades

[petolexa]

Hi,

we started to store images in Harbor in our company internally (because k8s clusters do not have externall network access).
And one of Harbor functionalities is, that it scans vulnerabilities. In case of apicurio-registry-kafkasql 2.0.1.Final docker image it means this:

All vulnerabilities are fixed in further updates of Alpine distro, but the image used for apicurio-registry images seems to be discontinued for a few months.

So I wanted to ask few questions about it:

• Is there a high chance that we can break something running apk upgrade in the image? I mean, do you preserve this specific image for a specific reason?
• Is there a chance that you can add apk upgrade to the image packaging process?

Thank you,
Peter

[EricWittmann]

You should be fine upgrading. I do not think we are pinned to a specific version for any reason - likely we just haven't refreshed it since we created the docker image originally.

@riprasad what do you think about upgrading our upstream docker images to some more recent to address CVEs?

[riprasad]

@petolexa You'd be glad to know that we have moved away from using the deprecated image for building our docker images. We now use the base image from the Red Hat Container Catalogue, where images are continuously monitored for health and updates are pushed to address the known vulnerabilities and exposures.

You can have a look at the updated Dockerfile for kafkasql here.

@EricWittmann I probably missed applying the changes to 2.0.x branch. I have pushed the changes to the branch and we can now probably work on releasing upgraded images.

[petolexa]

I should have linked the code in my original message, that shows the image used for this specific 2.0.1.Final version, my bad.

Thank you both for your detailed answers and for positive information.

[riprasad]

@petolexa We have upgraded the images for 2.0.1.Final. Could you store the latest image in Harbour and check the vulnerability severity. I would be particularly interested in knowing what Harbour has to report for these new images.

[petolexa]

Hi @riprasad, it seems, that image for 2.0.1.Final in dockerhub is still on alpine - even if I see update from yesterday, if I run the image, I see:

/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.11.6
PRETTY_NAME="Alpine Linux v3.11"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

The size corresponds to alpine as well (cca 160MB comparing to UBI with cca 250MB).

So I tried latest-snapshot image and it shows RedHat:

[jboss@cf7d3b301646 ~]$ cat /etc/os-release
VERSION="8.4 (Ootpa)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="8.4"
PLATFORM_ID="platform:el8"
PRETTY_NAME="Red Hat Enterprise Linux 8.4 (Ootpa)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:8.4:GA"

I pushed this latest snapshot to our Harbor and it has 0 critical and only 6 High severity issues ( comparing to 1+23 in that older Alpine):

From my point of view, it is good :) At least in the latest-snapshot. For 2.0.1.Final we are okay with the older Alpine, as we know, that the image for next versions will be more secure.

Thank you for your time,
Peter