superset icon indicating copy to clipboard operation
superset copied to clipboard
verified publisher icon apache

chore: update docker base image from python 3.9-buster to 3.12-slim

Open nigzak opened this issue 1 year ago • 5 comments

SUMMARY

The base image python 3.9 has findings which are fixed with a newer python base version If we update to 3.12-slim 1high and 1medium would be getting fixed

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

image

TESTING INSTRUCTIONS

newer base image is used

ADDITIONAL INFORMATION

  • [ ] Has associated issue:
  • [ ] Required feature flags:
  • [ ] Changes UI
  • [ ] Includes DB Migration (follow approval process in SIP-59)
    • [ ] Migration is atomic, supports rollback & is backwards-compatible
    • [ ] Confirm DB migration upgrade and downgrade tested
    • [ ] Runtime estimates and downtime expectations provided
  • [ ] Introduces new feature or API
  • [ ] Removes existing feature or API

nigzak avatar Feb 26 '24 15:02 nigzak

Should we go to 3.10 first? Or do we want to make this big of a leap in one shot?

rusackas avatar Feb 26 '24 17:02 rusackas

If you want I can change the pullrequest also to 3.10 3.10 would also reduce the findings

If you think this is "too bad" to swith to 3.12 I think it is totally fine to go to 3.10 and check again if relevant later (I tought if changed it might be good to update to "latest" - but you are right at all, this might be also result into problems)

for your reference the findings listed direct on dockerhub scan so that you can probably make you an easy overview without that you need to open it yourself: https://hub.docker.com/_/python/

// 3.9-buster (current used) image

// 3.10-slim image

// 3.11-slim image

// 3.12-slim (latest stable available) image

// 3.13 (NOT stable) => still has similar findings as 3.12 (even more) image

nigzak avatar Feb 26 '24 18:02 nigzak

FYI: even if you want to stay on python 3.9 we might at least change to "-slim" which has a high amount of findings less in comparision to "-buster" ("-buster" seems abandoned?)

// slim image

// buster image

nigzak avatar Feb 27 '24 08:02 nigzak

Pointing out that we build on a future base here: https://github.com/apache/superset/blob/master/scripts/build_docker.py#L152-L154

We could move the base to 3.10.x and the future to 3.12.x

I'm supportive to move to bookwork across the board too.

mistercrunch avatar Feb 28 '24 01:02 mistercrunch

as it was pointed out to me no tickets based on public well-known and easy visible CVE shall be created anymore. I already closed all my tickets (or they were closed) - this is the only one left.

=> please let me know if I shall close it now

nigzak avatar May 26 '24 10:05 nigzak

Default base is now 3.10-slim-bookworm, and while I'm not sure if the screenshot above is from DockerHub, it appears to be and I don't see any know vulnerabilities looking at DockerHub - though I may not be looking at the right place... Closing for now. If you have concerns around known vulnerabilities, please use the security@ mailing list.

mistercrunch avatar May 28 '24 22:05 mistercrunch