Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[xh]Dockerfile with ubuntu base image #5422

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[xh]Dockerfile with ubuntu base image #5422

wants to merge 3 commits into from

Conversation

matrixstone
Copy link
Collaborator

Description

Create a ubuntu dockerfile to address issue: #5309.

To avoid the vulnerabilities introduced by the debian base image, people can use this dockerfile in docker-compose.yml instead.

How Has This Been Tested?

Tested building the image locally and run it for Mage UI with streaming pipeline runs.

Checklist

  • The PR is tagged with proper labels (bug, enhancement, feature, documentation)
  • I have performed a self-review of my own code
  • I have added unit tests that prove my fix is effective or that my feature works
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation

cc:
@wangxiaoyou1993

@matrixstone matrixstone added bug Something isn't working feature New feature or request labels Sep 16, 2024
@wangxiaoyou1993
Copy link
Member

How did you test whether Trivy vulnerabilities are resolved?

@matrixstone
Copy link
Collaborator Author

matrixstone commented Sep 17, 2024
edited
Loading

I uploaded the newly build docker image into docker hub and enabled the scout image analysis following this guide(The local docker scout command keeps failing).

Here is a screenshot:
Vulnerabilities screenshot
It shows having 1 critical, 31 high, 492 medium, 85 low vulnerabilities.
On contrast, existing image having 14 critical, 138 high vulnerabilities based on the security tab.

For the new image, here is breakdown of the criticial and high vulnerabilities from source layer:
breakdown1
breakdown2
breakdown3
breakdown4
breakdown5

Should we (1) use this PR to add this ubuntu docker file as option for less vulnerabilities then (2) look into individual critical and high? vulnerabilities to see if they can be addressed/replaced?

@wangxiaoyou1993

@wangxiaoyou1993
Copy link
Member

Can you update the Trivy job in your branch to build the image based on your Dockerfile and run the tests?
Want to make sure these vulnerabilities are resolved: https://github.com/mage-ai/mage-ai/security/code-scanning

@matrixstone matrixstone force-pushed the xu-image branch 4 times, most recently from 9f22713 to 65df5b9 Compare November 7, 2024 19:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wangxiaoyou1993 wangxiaoyou1993 Awaiting requested review from wangxiaoyou1993

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
bug Something isn't working feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@matrixstone @wangxiaoyou1993