Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate to Wolfi base Docker image #720

Merged
merged 1 commit into from
Sep 3, 2024
Merged

Migrate to Wolfi base Docker image #720

merged 1 commit into from
Sep 3, 2024

Conversation

pquentin
Copy link
Member

The main motivation is to reduce the number of CVEs. Using trivy, I'm seeing 863 system vulnerabilities in 8.15.0, which is based on Debian 12.

docker.elastic.co/eland/eland:8.15.0 (debian 12.6)
==================================================
Total: 863 (UNKNOWN: 1, LOW: 261, MEDIUM: 517, HIGH: 78, CRITICAL: 6)

With Wolfi, those CVEs are all gone:

eland (chainguard 20230214)
===========================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Additionally, the ARM image went from 1.66GB to 1GB (I don't have Linux x86-64 numbers).

However, we still have the following CVEs about our immediate dependencies. Fixing them is future work:

Python (python-pkg)
===================
Total: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 3, CRITICAL: 1)

┌─────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│         Library         │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├─────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ scikit-learn (METADATA) │ CVE-2024-5206  │ MEDIUM   │ fixed  │ 1.3.2             │ 1.5.0         │ scikit-learn: Possible sensitive data leak                   │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-5206                    │
├─────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ torch (METADATA)        │ CVE-2024-31580 │ HIGH     │        │ 2.1.2             │ 2.2.0         │ PyTorch before v2.2.0 was discovered to contain a heap       │
│                         │                │          │        │                   │               │ buffer overflow ......                                       │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-31580                   │
│                         ├────────────────┤          │        │                   │               ├──────────────────────────────────────────────────────────────┤
│                         │ CVE-2024-31583 │          │        │                   │               │ Pytorch before version v2.2.0 was discovered to contain a    │
│                         │                │          │        │                   │               │ use-after-fr ...                                             │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-31583                   │
├─────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ transformers (METADATA) │ CVE-2023-6730  │ CRITICAL │        │ 4.35.2            │ 4.36.0        │ transformers has a Deserialization of Untrusted Data         │
│                         │                │          │        │                   │               │ vulnerability                                                │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-6730                    │
│                         ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                         │ CVE-2023-7018  │ HIGH     │        │                   │               │ transformers has a Deserialization of Untrusted Data         │
│                         │                │          │        │                   │               │ vulnerability                                                │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-7018                    │
│                         ├────────────────┼──────────┤        │                   ├───────────────┼──────────────────────────────────────────────────────────────┤
│                         │ CVE-2024-3568  │ LOW      │        │                   │ 4.38.0        │ Transformers Deserialization of Untrusted Data vulnerability │
│                         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-3568                    │
└─────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

@dolaru
Copy link
Member

dolaru commented Aug 28, 2024

I don't expect any issues with third party model tracing with this new image but i'll do some tests just to make sure. Please hold from merging until I'm done.

@davidkyle
Copy link
Member

The CVEs in torch and transformers will be resolved by merging the PyTorch upgrade PR https://github.com/elastic/eland/pull/718/files which will be done once Elasticsearch 8.15.1 is released.

dolaru
dolaru approved these changes Sep 3, 2024
View reviewed changes
Copy link
Member

@dolaru dolaru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. 👍🏽

Also, I can confirm HuggingFace model tracing still works as intended with the Wolfi base image.

@pquentin
Copy link
Member Author

pquentin commented Sep 3, 2024

Thanks! (I had tested HugginFace support.)

@pquentin pquentin merged commit f79180b into elastic:main Sep 3, 2024
3 of 4 checks passed
@pquentin pquentin deleted the wolfi branch September 3, 2024 14:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dolaru dolaru dolaru approved these changes

@ezimuel ezimuel Awaiting requested review from ezimuel

@davidkyle davidkyle Awaiting requested review from davidkyle

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pquentin @dolaru @davidkyle