Skip to content

[3.5] Security: use distroless base image to address critical Vulnerabilities #15016

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ahrtr merged 1 commit into from
Dec 19, 2022
Merged

[3.5] Security: use distroless base image to address critical Vulnerabilities #15016

ahrtr merged 1 commit into from
Dec 19, 2022

Conversation

@ahrtr
Copy link
Member

@ahrtr ahrtr commented Dec 18, 2022
edited
Loading

Command:

trivy image --severity CRITICAL gcr.io/etcd-development/etcd:v3.5.6

See report:
Screen Shot 2022-12-19 at 07 52 44

Signed-off-by: Benjamin Wang [email protected]

Please read https://github.com/etcd-io/etcd/blob/main/CONTRIBUTING.md#contribution-flow.

cc @mitake @ptabor @serathius @spzala

@ahrtr ahrtr added area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Dec 18, 2022
@ahrtr
Copy link
Member Author

ahrtr commented Dec 18, 2022

Note: I have confirmed that there is no critical Vulnerabilities any more after using the distroless base image.

@ahrtr ahrtr changed the title security: use distroless base image to address critical Vulnerabilities Security: use distroless base image to address critical Vulnerabilities Dec 18, 2022
@ahrtr
security: use distroless base image to address critical Vulnerabilities
b766840 
Command:
trivy image --severity CRITICAL gcr.io/etcd-development/etcd:v3.5.6 -f json -o 3.5.6_image_critical.json

Signed-off-by: Benjamin Wang <[email protected]>
@ahrtr ahrtr force-pushed the use_distroless_3.5_20221219 branch from d38d450 to b766840 Compare December 18, 2022 23:59
@ahrtr ahrtr changed the title Security: use distroless base image to address critical Vulnerabilities [3.5] Security: use distroless base image to address critical Vulnerabilities Dec 19, 2022
fuweid
fuweid reviewed Dec 19, 2022
View reviewed changes
fuweid
fuweid approved these changes Dec 19, 2022
View reviewed changes
Copy link
Member

@fuweid fuweid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM(non-binding)

ptabor
ptabor approved these changes Dec 19, 2022
View reviewed changes
Copy link
Contributor

@ptabor ptabor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please mention it in a changelog.

It's a potentially breaking change (if someone installs own scripts on top of etcd image).

@ahrtr
Copy link
Member Author

ahrtr commented Dec 19, 2022

Please mention it in a changelog.

Yes, I will update the changelog when I finish all the Vulnerabilities (including HIGH and critical)

@ahrtr
Copy link
Member Author

ahrtr commented Dec 19, 2022

Thanks both @ptabor and @fuweid

@ahrtr ahrtr merged commit 4e03851 into etcd-io:release-3.5 Dec 19, 2022
This was referenced Dec 19, 2022
Merged
Merged
@serathius serathius mentioned this pull request Jan 18, 2023
Closed
@nberlee nberlee mentioned this pull request Jan 23, 2023
Closed
@ahrtr ahrtr mentioned this pull request Feb 21, 2023
Merged
@ahrtr ahrtr mentioned this pull request Apr 27, 2023
Merged
@pchan pchan mentioned this pull request Apr 27, 2023
Closed
@ErikJiang ErikJiang mentioned this pull request Jun 16, 2023
Merged
tjungblu pushed a commit to tjungblu/etcd that referenced this pull request Jul 26, 2023
@ahrtr @tjungblu
Merge pull request etcd-io#15016 from ahrtr/use_distroless_3.5_20221219
02987f7 
[3.5] Security: use distroless base image to address critical Vulnerabilities
@superseb superseb mentioned this pull request Sep 21, 2023
Closed
@vardhaman22 vardhaman22 mentioned this pull request Jan 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fuweid fuweid fuweid approved these changes

+1 more reviewer

@ptabor ptabor ptabor approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ahrtr @ptabor @fuweid