buildpacks icon indicating copy to clipboard operation
buildpacks copied to clipboard

Published 20 hours ago verified publisher icon GoogleCloudPlatform

CNB has no new version published. We need example of Rebase.

Open msathe-tech opened this issue 2 years ago • 2 comments

gcr.io/buildpacks/builder:v1 for Java apps has 36 CVEs. There is no new version published. We also need a new version to check out the Rebase functionality.

msathe-tech avatar Jan 13 '22 23:01 msathe-tech

We release updates to the base images very frequently. Could you please share the details of which CVEs you are finding in the images and how you are scanning? AR auto scanning turns up a few low severity CVEs but none of them have patches available so an update won't help.

matthewrobertson avatar Jan 28 '22 20:01 matthewrobertson

I agree we need better documentation on how to rebase to update the base image layers.

We should also provide docs on how to remove unnecessary packages from the base image. This would allow users to eliminate CVEs that were introduced by packages that are not required by their application.

matthewrobertson avatar Jan 28 '22 20:01 matthewrobertson

We just published an updated builder using Ubuntu 22 as the base image. This builder has substantially fewer CVEs, see https://github.com/GoogleCloudPlatform/buildpacks/discussions/271

I think the remaining work here might be to demonstrate how to execute a rebase.

jama22 avatar Feb 09 '23 19:02 jama22

@msathe-tech you can check out my demo of how to use rebase in my post here https://github.com/GoogleCloudPlatform/buildpacks/discussions/300

Feedback welcome!

jama22 avatar May 05 '23 22:05 jama22