Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove some vulnerabilities from go modules #4506

Closed
brijesh-vora-sp opened this issue Sep 9, 2024 · 8 comments · Fixed by #4576 or #4580
Closed

Remove some vulnerabilities from go modules #4506

brijesh-vora-sp opened this issue Sep 9, 2024 · 8 comments · Fixed by #4576 or #4580
Assignees
@shuchu
Labels
kind/bug priority/p2

Comments

@brijesh-vora-sp
Copy link
Contributor

Description:

There are quite some vulnerabilities in feast when I build docker image of k8s materialization engine.
Seems to be all go related. Would appreciate alteast removing critical and high one's ASAP. Thanks

Severity CVE ID Package name & version
High CVE-2021-3121 github.com/gogo/protobuf v1.2.1
High CVE-2022-24450 github.com/nats-io/nats-server/v2 v2.1.2
High CVE-2019-13126 github.com/nats-io/nats-server/v2 v2.1.2
High CVE-2020-28466 github.com/nats-io/nats-server/v2 v2.1.2
High CVE-2018-16886 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
Medium CVE-2020-15106 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
Medium CVE-2020-15112 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738
Medium CVE-2022-41727 golang.org/x/image v0.0.0-20220302094943-723b81ca9867
Medium CVE-2023-29408 golang.org/x/image v0.0.0-20220302094943-723b81ca9867
Medium CVE-2023-29407 golang.org/x/image v0.0.0-20220302094943-723b81ca9867
Critical CVE-2020-26892 github.com/nats-io/jwt v0.3.2
High CVE-2021-3127 github.com/nats-io/jwt v0.3.2
High CVE-2020-26521 github.com/nats-io/jwt v0.3.2
Medium CVE-2022-2582 github.com/aws/aws-sdk-go v1.27.0
Medium CVE-2020-8911 github.com/aws/aws-sdk-go v1.27.0
Low CVE-2020-8912 github.com/aws/aws-sdk-go v1.27.0
High CVE-2020-26160 github.com/dgrijalva/jwt-go v3.2.0+incompatible
Medium CVE-2019-19794 github.com/miekg/dns v1.0.14
High CVE-2022-21698 github.com/prometheus/client_golang v1.3.0
High CVE-2020-27813 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c

Possible Solution

Upgrade packages?
@tokoko
Copy link
Collaborator

tokoko commented Sep 9, 2024

@EXPEbdodla Let me use this opportunity to involve you here. So far we have been steering clear of the go codebase as (at least my) assumption is that the best path forward would be to upstream the changes from your fork instead of diverging in any way. I realize we have never really discussed that though 😄 Is upstreaming also what you're working towards?

@shuchu shuchu self-assigned this Sep 21, 2024
@shuchu
Copy link
Collaborator

shuchu commented Sep 21, 2024
edited
Loading

@EXPEbdodla which version did you check for this list of Vulns? in the latest version (0.40.1) , I didn't see this package github.com/gogo/protobuf v1.2.1

@EXPEbdodla
Copy link
Contributor

We are using google.golang.org/protobuf v1.34.2 version.

@tokoko We can do that. But we have a backlog item for using endpoint from feature_store.yaml for transformation server calls. Once we fix that, we can do that. And we also use Datadog for our monitoring. It's added in code. Easy to resolve.

@shuchu
Copy link
Collaborator

shuchu commented Sep 24, 2024
edited
Loading

sorry, It seems I asked a wrong person about the question.... .my bad. @EXPEbdodla. Apologize about this.
@brijesh-vora-sp which Feast version are you using for build the materialization engine?

@brijesh-vora-sp
Copy link
Contributor Author

@shuchu I believe it was until this commit c42d9fd if I am not mistaken. This vulnerabilities are created using crowdstrike. Not sure where github.com/gogo/protobuf one is coming from.

@brijesh-vora-sp
Copy link
Contributor Author

brijesh-vora-sp commented Sep 24, 2024
edited
Loading

Ok, so I cloned the repo and created docker image on master (e675cbd) 09/23. Checked vulnerabilities again. Here are the updated ones:

<style> </style>
Severity ExPRT rating CVE ID CVSS score Package name & version Layer command
Medium Medium CVE-2024-8096 6.5 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-28320 5.9 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Medium CVE-2024-2379 5.4 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2021-22922 6.5 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-23915 6.5 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2021-22923 5.3 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Low CVE-2023-23914 9.1 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Medium CVE-2023-46219 5.3 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Medium CVE-2022-43551 7.5 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-42916 7.5 curl 7.74.0-1.3+deb11u13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2018-1000021 8.8 git 1:2.30.2-1+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2024-32020 3.9 git 1:2.30.2-1+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-24975 7.5 git 1:2.30.2-1+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-4641 5.5 shadow 1:4.8.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Medium CVE-2023-29383 3.3 shadow 1:4.8.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2013-4235 4.7 shadow 1:4.8.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2019-19882 7.8 shadow 1:4.8.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2007-5686 4.9 shadow 1:4.8.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Medium CVE-2023-4039 4.8 gcc-10 10.2.1-6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-1304 7.8 e2fsprogs 1.46.2-2 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-3715 7.8 bash 5.1-2+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Medium CVE-2024-26458 8.6 krb5 1.18.3-6+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2018-5709 7.5 krb5 1.18.3-6+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2024-26461 7.5 krb5 1.18.3-6+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Medium CVE-2024-22365 5.5 pam 1.4.0-9+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Low CVE-2019-8457 9.8 db5.3 5.3.28+dfsg1-0.8 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2011-4116 7.5 perl 5.32.1-4+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Medium CVE-2020-16156 7.8 perl 5.32.1-4+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2023-31486 8.1 perl 5.32.1-4+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2023-31484 8.1 perl 5.32.1-4+deb11u3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Medium CVE-2023-45918 8.8 ncurses 6.2+20201114-2+deb11u2 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-50495 6.5 ncurses 6.2+20201114-2+deb11u2 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2005-2541 10 tar 1.34+dfsg-1+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Medium CVE-2023-4039 4.8 gcc-9 9.3.0-22 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2015-3276 7.5 openldap 2.4.57+dfsg-3+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2017-17740 7.5 openldap 2.4.57+dfsg-3+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2017-14159 4.7 openldap 2.4.57+dfsg-3+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2020-15719 4.2 openldap 2.4.57+dfsg-3+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2023-2953 7.5 openldap 2.4.57+dfsg-3+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2021-36690 7.5 sqlite3 3.34.1-3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2023-7104 7.3 sqlite3 3.34.1-3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2021-31239 7.5 sqlite3 3.34.1-3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2021-45346 4.3 sqlite3 3.34.1-3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-35737 7.5 sqlite3 3.34.1-3 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2022-0563 5.5 util-linux 2.36.1-8+deb11u2 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2016-2781 6.5 coreutils 8.32-4 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2017-18018 4.7 coreutils 8.32-4 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2019-9192 7.5 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2018-20796 7.5 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2019-1010024 5.3 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2019-1010025 5.3 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Low CVE-2019-1010022 9.8 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-4813 5.9 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2019-1010023 5.4 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-4806 5.9 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2010-4756 4 glibc 2.31-13+deb11u11 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2024-28182 5.3 nghttp2 1.43.0-1+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium High CVE-2011-3389 4.3 gnutls28 3.7.1-5+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2024-28835 5 gnutls28 3.7.1-5+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2024-28834 5.3 gnutls28 3.7.1-5+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2021-36086 3.3 libsepol 3.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2021-36084 3.3 libsepol 3.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2021-36087 3.3 libsepol 3.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2021-36085 3.3 libsepol 3.1-1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2020-13529 6.1 systemd 247.3-7+deb11u6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-31439 5.3 systemd 247.3-7+deb11u6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-31438 5.3 systemd 247.3-7+deb11u6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2013-4392 3.3 systemd 247.3-7+deb11u6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-31437 5.3 systemd 247.3-7+deb11u6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2017-11164 7.5 pcre3 2:8.39-13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2017-7246 7.8 pcre3 2:8.39-13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2017-7245 7.8 pcre3 2:8.39-13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2017-16231 5.5 pcre3 2:8.39-13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2019-20838 7.5 pcre3 2:8.39-13 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2011-3374 3.7 apt 2.2.4 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-52426 5.5 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2013-0340 6.8 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Medium CVE-2024-45491 9.8 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2023-52425 7.5 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2024-28757 7.5 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Medium CVE-2024-45492 9.8 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Medium CVE-2024-45490 9.8 expat 2.2.10-2+deb11u5 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2024-0727 5.5 openssl 1.1.1w-0+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical High CVE-2024-5535 9.1 openssl 1.1.1w-0+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2024-2511 3.7 openssl 1.1.1w-0+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2024-4741 5.6 openssl 1.1.1w-0+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2023-5678 5.3 openssl 1.1.1w-0+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2018-6829 7.5 libgcrypt20 1.8.7-6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2021-33560 7.5 libgcrypt20 1.8.7-6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Medium Low CVE-2024-2236 5.9 libgcrypt20 1.8.7-6 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Low Low CVE-2022-3219 3.3 gnupg2 2.2.27-2+deb11u2 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
Critical Low CVE-2023-45853 9.8 zlib 1:1.2.11.dfsg-2+deb11u2 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-41409 7.5 pcre2 10.36-2+deb11u1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High Low CVE-2022-4899 7.5 libzstd 1.4.8+dfsg-2.1 RUN /bin/sh -c apt-get update &&     apt-get install --no-install-suggests --no-install-recommends --yes git %23 buildkit
High High CVE-2024-6345 8.8 setuptools 65.5.1 RUN /bin/sh -c set -eux; savedAptMark="$(apt-mark showmanual)"; apt-get update; apt-get install -y --no-install-recommends dpkg-dev gcc gnupg libbluetooth-dev libbz2-dev libc6-dev libdb-dev libexpat1-dev libffi-dev libgdbm-dev liblzma-dev libncursesw5-dev libreadline-dev libsqlite3-dev libssl-dev make tk-dev uuid-dev wget xz-utils zlib1g-dev ; wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; gpg --batch --verify python.tar.xz.asc python.tar.xz; gpgconf --kill all; rm -rf "$GNUPGHOME" python.tar.xz.asc; mkdir -p /usr/src/python; tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; rm python.tar.xz; cd /usr/src/python; gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; ./configure --build="$gnuArch" --enable-loadable-sqlite-extensions --enable-optimizations --enable-option-checking=fatal --enable-shared --with-lto --with-system-expat --with-ensurepip ; nproc="$(nproc)"; EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"; LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; LDFLAGS="${LDFLAGS:--Wl}%2C--strip-all"; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:-}" "PROFILE_TASK=${PROFILE_TASK:-}" ; rm python; make -j "$nproc" "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" "LDFLAGS=${LDFLAGS:--Wl}%2C-rpath='$$ORIGIN/../lib'" "PROFILE_TASK=${PROFILE_TASK:-}" python ; make install; cd /; rm -rf /usr/src/python; find /usr/local -depth ( ( -type d -a ( -name test -o -name tests -o -name idle_test ) ) -o ( -type f -a ( -name '.pyc' -o -name '.pyo' -o -name 'libpython*.a' ) ) ) -exec rm -rf '{}' + ; ldconfig; apt-mark auto '.' > /dev/null; apt-mark manual $savedAptMark; find /usr/local -type f -executable -not ( -name 'tkinter' ) -exec ldd '{}' ';' | awk '/=>/ { so = $(NF-1); if (index(so%2C "/usr/local/") == 1) { next }; gsub("^/(usr/)?"%2C ""%2C so); printf "%s\n"%2C so }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual ; apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; rm -rf /var/lib/apt/lists/*; export PYTHONDONTWRITEBYTECODE=1; python3 --version; pip3 install --disable-pip-version-check --no-cache-dir --no-compile 'setuptools==65.5.1' wheel ; pip3 --version %23 buildkit

@brijesh-vora-sp
Copy link
Contributor Author

Most of these are coming from python3.11 image used. Can you update that to latest non-vulnerable image?

Below image is from docker desktop. So after building the image you can check in vulnerabilities section if are any.

image

@shuchu
Copy link
Collaborator

shuchu commented Sep 25, 2024

Thank you for all the details, @brijesh-vora-sp , let me work on this.

@shuchu shuchu mentioned this issue Sep 26, 2024
Merged
@shuchu shuchu mentioned this issue Sep 27, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shuchu shuchu

Labels
kind/bug priority/p2
Projects
None yet
Milestone
No milestone
4 participants
@shuchu @tokoko @EXPEbdodla @brijesh-vora-sp