You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
FROM --platform=linux/${ARCH} gcr.io/distroless/static-debian12@sha256:3f2b64ef97bd285e36132c684e6b2ae8f2723293d09aae046196cca64251acac
ADD etcd /usr/local/bin/
ADD etcdctl /usr/local/bin/
ADD etcdutl /usr/local/bin/
It will scan the base image we're using and the etcd static binaries, as there's nothing else we're installing in the Docker image.
Our image uses gcr.io/distroless/static-debian12, already stripped down from libraries, external dependencies, etc. We also keep this image up to date with Dependabot, so having this as a CI job is highly likely never to find a vulnerability. It's still possible that it will find a vulnerability as soon as the CVE is published. However, the current configuration has the severity set to CRITICAL,HIGH. Because when new vulnerabilities are published their severity is UNKNOWN, the workflow is very likely never to fail.
The second part of the scan checks the compiled static binaries. As I mentioned in github workflows: remove release tests #19358, this check duplicates govulncheck. As it checks for vulnerabilities in Golang's stdlib, and following the previous point, it won't fail because initially the CVEs have an UNKNOWN severity. Contrary to govulncheck, it fails without analyzing the severity (and govuln only fails if we're directly affected, and it also checks all of the dependencies, not just Golang's).
Example of a false negative
Using the CVE CVE-2023-32082, which belongs to us, if we do a Trivy scan on an affected version, i.e., v3.5.0, the report doesn't return it:
Note: Of course, the report is not empty, as we're using an old Debian version as the base, which has several reported vulnerabilities with defined severities.
Proposed enhancements
In my humble opinion, I don't see a lot of value in this check. However, I can think of two possible alternatives:
If we decide to keep it, I think a better alternative would be to run a Trivy scan on our base image (gcr.io/distroless/static-debian12). And decouple it from the release script tests (maybe create a new Prow job, or consolidate it with govulncheck)
We're not checking the latest released image for vulnerabilities, as this is configured as presubmit. So, we may never find out if our latest released images (i.e., v3.5.18 and v3.4.35 [as of today]) are using vulnerable dependencies. That's why, in github workflows: remove release tests #19358, I propose to move this to a periodic job.
If we choose to keep it in any possible implementations, we must decide where it would live: as a GitHub workflow (we can upload the result serif output to GitHub as we're doing right now); or as a Prow job with a regular text output.
What would you like to be added?
I'm spinning off the conversation of keeping the Trivy scan out of #19358 to improve the discussion.
Release tests GitHub workflow
Currently, the release tests' GitHub workflow is split into two steps:
etcd/.github/workflows/release.yaml
Lines 15 to 31 in e25d605
etcd/.github/workflows/release.yaml
Lines 62 to 68 in e25d605
Trivy Workflow
If we analyze what the Trivy image scan is doing by reading our
Dockerfile:etcd/Dockerfile
Lines 1 to 6 in 9de211d
It will scan the base image we're using and the
etcdstatic binaries, as there's nothing else we're installing in the Docker image.gcr.io/distroless/static-debian12, already stripped down from libraries, external dependencies, etc. We also keep this image up to date with Dependabot, so having this as a CI job is highly likely never to find a vulnerability. It's still possible that it will find a vulnerability as soon as the CVE is published. However, the current configuration has the severity set toCRITICAL,HIGH. Because when new vulnerabilities are published their severity isUNKNOWN, the workflow is very likely never to fail.govulncheck. As it checks for vulnerabilities in Golang's stdlib, and following the previous point, it won't fail because initially the CVEs have anUNKNOWNseverity. Contrary togovulncheck, it fails without analyzing the severity (andgovulnonly fails if we're directly affected, and it also checks all of the dependencies, not just Golang's).Example of a false negative
Using the CVE CVE-2023-32082, which belongs to us, if we do a Trivy scan on an affected version, i.e.,
v3.5.0, the report doesn't return it:$ trivy image -q quay.io/coreos/etcd:v3.5.0 | grep CVE-2023-32082 [nothing]Note: Of course, the report is not empty, as we're using an old Debian version as the base, which has several reported vulnerabilities with defined severities.
Proposed enhancements
In my humble opinion, I don't see a lot of value in this check. However, I can think of two possible alternatives:
gcr.io/distroless/static-debian12). And decouple it from the release script tests (maybe create a new Prow job, or consolidate it withgovulncheck)v3.5.18andv3.4.35[as of today]) are using vulnerable dependencies. That's why, in github workflows: remove release tests #19358, I propose to move this to a periodic job.If we choose to keep it in any possible implementations, we must decide where it would live: as a GitHub workflow (we can upload the result serif output to GitHub as we're doing right now); or as a Prow job with a regular text output.
References
Why is this needed?
This is meant to open the discussion for a possible cleanup/enhancement.
The text was updated successfully, but these errors were encountered: