buildpacks icon indicating copy to clipboard operation
buildpacks copied to clipboard
verified publisher icon GoogleCloudPlatform

A lot of security issues found via vulnerability scanning on Google Cloud related to Go

Open gboston opened this issue 3 years ago • 2 comments

When building the image via Buildpacks on Google cloud and pushing it to the artifact registry for scanning, a lot of security issues are detected. I'm assuming these are related to the base image ubuntu 18.04. Is there a way to enforce the latest image, to prevent these security issues?

Issues at the moment: CVE-2021-38297, CVE-2022-23806. These issues are already fixed so I would assume these can easily be handled with a new base image?

gboston avatar Sep 06 '22 12:09 gboston

Hi @gboston through what mechanism are you using buildpacks? gcloud run deploy?, pack build --builder ...?, glcloud app deploy?

spew avatar Sep 22 '22 14:09 spew

Hi @gboston through what mechanism are you using buildpacks? gcloud run deploy?, pack build --builder ...?, glcloud app deploy?

Using gcloud run deploy

gboston avatar Sep 22 '22 14:09 gboston

Hey @gboston just a quick update. @matthewrobertson did a bit more digging and we think we found the root cause. It looks like the builder was using an outdated version of the pack CLI, causing the CVE to be reported in your scanner. I think this is the commit that fixed it https://github.com/GoogleCloudPlatform/buildpacks/commit/8563188fbbbb71f63f1756c507e76d46ae290276

jama22 avatar Nov 16 '22 19:11 jama22

Re-tested this on the go sample app using Cloud Build and the vulnerability scanner and we're showing less CVEs. The two CVEs mentioned are no longer present and we are reporting no Critical/Highs

image

Something noteworthy here is that the scan indicates that there are 20 available "Fixes". Sampling around some of the CVEs i see a few notable themes:

  • The available fixes might not be available on Ubuntu 18 base image, which is what the open source builder is still using. This may be resolved when we switch over to Ubuntu 22 Jammy as the base image in #232
  • Some of the fixes are clearly marked as available on Bionic e.g. https://ubuntu.com/security/CVE-2022-1664 . HOwever, assuming we're grabbing the latest base images from Canonical, I wonder if its a transitive dependency being pulled in?

For now, I think we've addressed some of the most urgent vuln issues. The team is still planning to investigate how to make sure "fixable" CVEs are included in future builds. WIll leave this issue open for now and keep a running update

jama22 avatar Jan 04 '23 21:01 jama22

Some quick updates for ya'll. We're in the early phases of releasing our Ubuntu 22 builder, which is both smaller and addresses some of the "fixable" CVEs we talked about in this issue.

You can give it a spin by using the google-22 tag on the builder:

pack build --builder=gcr.io/buildpacks/builder:google-22 <image name>

You can see some of the results in my testing:

Ubuntu-18 Builder Ubuntu-22 Builder
Total CVEs 34 11
Fixable CVEs 5 1
Critical 0 0
High 1 0
Medium 18 4
Low 15 7
Image Size 71.8 MB 54.6 MB

jama22 avatar Feb 07 '23 17:02 jama22

Made a small announcement explaining how to use the new google-22 builder https://github.com/GoogleCloudPlatform/buildpacks/discussions/271

And with that I think we can close this issue as it resolves the two key points I outlined. @gboston would love it if you could give the new builder a spin!

On that note, I think we can mark this issue as resolved.

jama22 avatar Feb 08 '23 00:02 jama22