model-registry icon indicating copy to clipboard operation
model-registry copied to clipboard
verified publisher icon kubeflow

Monitor CVE reports as provided by KF/manifest team

Open tarilabs opened this issue 1 year ago • 4 comments

With KF 1.9, the Platform (KF/Manifest) team is introducing CVE reporting. ref: https://blog.kubeflow.org/kubeflow-1.9-release/#cve-scanning

Since https://github.com/kubeflow/manifests/pull/2860 it is possible to access the reports for the whole KF platform by accessing the zip archive in any of the run from: https://github.com/kubeflow/manifests/actions/workflows/trivy.yaml

With https://github.com/kubeflow/manifests/pull/2856 we avoid a double-counting in the final report for image which are shared across WGs/Components (ie: we share Mysql and gcr.io/tfx-oss-public/ml_metadata_store_server)

Baseline

From the KF 1.9 release, this numbers where reported:

Screenshot 2024-09-02 at 10 26 40

September 2nd

Source images

Scanning  kubeflow/model-registry:latest
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    0     |  0   |   11   |  68 |
+----------+------+--------+-----+

Shared images

Scanning  gcr.io/tfx-oss-public/ml_metadata_store_server:1.14.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    0     |  0   |   35   |  41 |
+----------+------+--------+-----+

Scanning  mysql:8.0.3
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    17    |  71  |   55   |  42 |
+----------+------+--------+-----+

tarilabs avatar Sep 02 '24 08:09 tarilabs

It looks to me to get better numbers we need to have coordination with KFP WG for which we copy the MLMD setup.

I notice mysql:8.0.39 as also suggested in https://github.com/kubeflow/model-registry/pull/267 would improve some of this numbers, although same considerations as above, since it seems to be also failing the bare minimal K8s test we have on this repo.

tarilabs avatar Sep 02 '24 08:09 tarilabs

On suggestion received during the MR biweekly meeting 2024-09-16, I've raised the question about the shared DB image in the Discussion forum for the KFP WG: https://github.com/kubeflow/pipelines/discussions/11224

tarilabs avatar Sep 18 '24 12:09 tarilabs

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Dec 18 '24 04:12 github-actions[bot]

Hi, this is a note of record that regardless we didn't receive any feedback since on enquiry

  • https://github.com/kubeflow/pipelines/discussions/11224

despite also following up with Liaisons and community in KF Release meetings, etc., I'm proposing to progress further on merge of

  • https://github.com/kubeflow/model-registry/pull/267

in order also to best support contributor development from Mac/ARM.

So to merge #267 to have refreshed dependency images, and help with local dev.

If you have any concern, please raise it by latest KF MR biweekly meeting currently scheduled for 2025-02-03.

tarilabs avatar Jan 30 '25 11:01 tarilabs

We have been releasing every ~3weeks so to keep dependencies updated and minimize CVEs. Also, the removal of the MLMD dependency https://github.com/kubeflow/model-registry/issues/865 helps minimize the surface.

tarilabs avatar Aug 11 '25 07:08 tarilabs