https://prefect.io logo
Join Slack
Powered by
The Prefect base image doesn’t pass Snyk Docker vu...
# prefect-kubernetes
o
The Prefect base image doesn’t pass Snyk Docker vulnerabilities check, any ideas? When scanning the base image with Snyk I find this vulnerability:
Copy code
✗ Critical severity vulnerability found in curl/libcurl3-gnutls
  Description: Cleartext Transmission of Sensitive Information
  Info: <https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3320493>
  Introduced through: git@1:2.30.2-1+deb11u2
  From: git@1:2.30.2-1+deb11u2 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u7
This comes from Prefect’s Dockerfile line 101: https://github.com/PrefectHQ/prefect/blob/main/Dockerfile#L101 Is Git actually needed and used within the Prefect server / Prefect agents? If so, why? Can I remove it or will it break Prefect?
z
h
Getting snyk to be happy about images is the worst. I build most of mine from scratch, starting with one of the base images like python3.9. That way I can rebuild them periodically (which is a double-edged sword). Those images don’t work with ACI though, and not as an agent either. I have an open discourse post on creating some better yet minimal images from scratch, maybe one day I will get back to this https://discourse.prefect.io/t/minimal-prefect-dockerfile-from-a-base-image/2502
🙌 1
z
There’s also some discussion on our platform team about publishing higher security images that drop things that are just nice to have
prefect duck 2
o
@Henning Holgersen and @Zanie thank you! what we eventually did was to remove Git altogether
and hack some of the Prefect files to not consult the 
git
CLI and instead use some fake hard coded version
This allowed us to pass Snyk without any High or Critical bugs
z
We’re also using the latest 
git
version. It’s unfortunate that there’s a vuln that’s not fixed?
o
Yeah it is unfortunate. Git has a dependency on curl that wasn’t fixed, not sure if it’s statically linked or not or maybe Git has a newer version that has this fixed already.
The latest Git version is 2.4.0 whereas it seems like Prefect is using 1.2?
The least we should allow is to pass a Docker argument to the Dockerfile to allow to override the default versions, I think.
h
I am reading the snyk scans with a fair amount of skepticism. Interestingly, the ACR vulnerability scan actually tells me “there’s no fix for this”, so that’s kind of… nice. Also, all the bugs like “error in parsing random xml can lead to ddos” stuff is kind of… yeah, no, not going to happen.
o
For sure @Henning Holgersen but if your business depends on selling to B2B Enterprises with CISO’s which enforce this policy, it’s problematic.
h
Hehe… damn, I know what you mean. I am sometimes forced to present that kind of absurd security requirements as part of our procurement process. Sorry by proxy.
🙌 1
But in that case I’d definitely opt to build all images from scratch. Prefect images get outdated and new vulnerabilities are discovered, so a new scan in a week might turn up new stuff.
🙏 1
z
Copy code
❯ docker run prefecthq/prefect:2-latest bash -c "apt-get update && apt-get upgrade git"
Get:1 <http://deb.debian.org/debian> bullseye InRelease [116 kB]
Get:2 <http://deb.debian.org/debian-security> bullseye-security InRelease [48.4 kB]
Get:3 <http://deb.debian.org/debian> bullseye-updates InRelease [44.1 kB]
Get:4 <http://deb.debian.org/debian> bullseye/main arm64 Packages [8071 kB]
Get:5 <http://deb.debian.org/debian-security> bullseye-security/main arm64 Packages [236 kB]
Get:6 <http://deb.debian.org/debian> bullseye-updates/main arm64 Packages [12.0 kB]
Fetched 8527 kB in 1s (6191 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
git is already the newest version (1:2.30.2-1+deb11u2).
I don’t think there are newer versions of git available on the base image
o
Interesting. What’s the base image that Prefect is using? Debian 11?
z
We use the Python official images
o
Which in turn probably use Debian?
z
Looks like it yeah
We do allow that to be configured e.g. 
ARG BASE_IMAGE=python:${PYTHON_VERSION}-slim
o
Debian is very conservative about the versions of its components
z
Yeah 😬
o
BTW @Zanie we just added a Snyk GitHub workflow that scans our images on each Git push and on a cronjob nightly basis (for zero day)
This allows us to know the healthiness and cyber higene of our stack any given point in time
z
Nice! We have similar things internally for our production images.
🙌 1
o
Does Prefect use ArgoCD / Flux or a traditional push based CI/CD pipeline with Helm?
z
I think we use Flux these days
o
Nice
Must be exciting working for Prefect, a beautiful project cleanly designed from scratch
When I grow old I would like to work for Prefect as product / dev 😄
z
It’s a good place to work!
It’s funny it doesn’t feel as clean now that I’ve been here for so long because I know too much and mostly interact with users complaining about bugs. It’s great to hear though 🙂
😅 2
h
Hehe… absolutely a biased sample of users.
😄 1
o
I am a CTO of a Fintech AI & data science startup company, you are welcome to connect if you want: https://www.linkedin.com/in/cohen-ofir
One day I hope to send my developers to a PrefectCon
h
Curiously, I’d see a prefectCon as a sign that prefect has failed - at keeping things simple. If there has to be a conference, there is too much to think about.
o
Or an opportunity to get together and discuss interesting use cases that Prefect might want to address
h
Good point, I see a lot of interesting use cases with ML and a gazillion parallel tasks etc.
🙌 1
z
Nice! I’d be happy to chat about your use-cases.
2 Views
Open in Slack
PreviousNext
Powered by