https://prefect.io logo
Title
o

Ofir

05/15/2023, 9:17 PM
The Prefect base image doesn’t pass Snyk Docker vulnerabilities check, any ideas? When scanning the base image with Snyk I find this vulnerability:
✗ Critical severity vulnerability found in curl/libcurl3-gnutls
  Description: Cleartext Transmission of Sensitive Information
  Info: <https://security.snyk.io/vuln/SNYK-DEBIAN11-CURL-3320493>
  Introduced through: git@1:2.30.2-1+deb11u2
  From: git@1:2.30.2-1+deb11u2 > curl/libcurl3-gnutls@7.74.0-1.3+deb11u7
This comes from Prefect’s Dockerfile line 101: https://github.com/PrefectHQ/prefect/blob/main/Dockerfile#L101 Is Git actually needed and used within the Prefect server / Prefect agents? If so, why? Can I remove it or will it break Prefect?
h

Henning Holgersen

05/16/2023, 4:14 AM
Getting snyk to be happy about images is the worst. I build most of mine from scratch, starting with one of the base images like python3.9. That way I can rebuild them periodically (which is a double-edged sword). Those images don’t work with ACI though, and not as an agent either. I have an open discourse post on creating some better yet minimal images from scratch, maybe one day I will get back to this https://discourse.prefect.io/t/minimal-prefect-dockerfile-from-a-base-image/2502
🙌 1
z

Zanie

05/16/2023, 2:19 PM
There’s also some discussion on our platform team about publishing higher security images that drop things that are just nice to have
:prefect-duck: 2
o

Ofir

05/18/2023, 6:08 PM
@Henning Holgersen and @Zanie thank you! what we eventually did was to remove Git altogether
and hack some of the Prefect files to not consult the
git
CLI and instead use some fake hard coded version
This allowed us to pass Snyk without any High or Critical bugs
z

Zanie

05/18/2023, 6:11 PM
We’re also using the latest
git
version. It’s unfortunate that there’s a vuln that’s not fixed?
o

Ofir

05/18/2023, 6:12 PM
Yeah it is unfortunate. Git has a dependency on curl that wasn’t fixed, not sure if it’s statically linked or not or maybe Git has a newer version that has this fixed already.
The latest Git version is 2.4.0 whereas it seems like Prefect is using 1.2?
The least we should allow is to pass a Docker argument to the Dockerfile to allow to override the default versions, I think.
h

Henning Holgersen

05/18/2023, 6:14 PM
I am reading the snyk scans with a fair amount of skepticism. Interestingly, the ACR vulnerability scan actually tells me “there’s no fix for this”, so that’s kind of… nice. Also, all the bugs like “error in parsing random xml can lead to ddos” stuff is kind of… yeah, no, not going to happen.
o

Ofir

05/18/2023, 6:15 PM
For sure @Henning Holgersen but if your business depends on selling to B2B Enterprises with CISO’s which enforce this policy, it’s problematic.
h

Henning Holgersen

05/18/2023, 6:16 PM
Hehe… damn, I know what you mean. I am sometimes forced to present that kind of absurd security requirements as part of our procurement process. Sorry by proxy.
🙌 1
But in that case I’d definitely opt to build all images from scratch. Prefect images get outdated and new vulnerabilities are discovered, so a new scan in a week might turn up new stuff.
🙏 1
z

Zanie

05/18/2023, 6:33 PM
❯ docker run prefecthq/prefect:2-latest bash -c "apt-get update && apt-get upgrade git"
Get:1 <http://deb.debian.org/debian> bullseye InRelease [116 kB]
Get:2 <http://deb.debian.org/debian-security> bullseye-security InRelease [48.4 kB]
Get:3 <http://deb.debian.org/debian> bullseye-updates InRelease [44.1 kB]
Get:4 <http://deb.debian.org/debian> bullseye/main arm64 Packages [8071 kB]
Get:5 <http://deb.debian.org/debian-security> bullseye-security/main arm64 Packages [236 kB]
Get:6 <http://deb.debian.org/debian> bullseye-updates/main arm64 Packages [12.0 kB]
Fetched 8527 kB in 1s (6191 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
git is already the newest version (1:2.30.2-1+deb11u2).
I don’t think there are newer versions of git available on the base image
o

Ofir

05/18/2023, 6:34 PM
Interesting. What’s the base image that Prefect is using? Debian 11?
z

Zanie

05/18/2023, 6:34 PM
We use the Python official images
o

Ofir

05/18/2023, 6:35 PM
Which in turn probably use Debian?
z

Zanie

05/18/2023, 6:35 PM
Looks like it yeah
We do allow that to be configured e.g.
ARG BASE_IMAGE=python:${PYTHON_VERSION}-slim
o

Ofir

05/18/2023, 6:35 PM
Debian is very conservative about the versions of its components
z

Zanie

05/18/2023, 6:35 PM
Yeah 😬
o

Ofir

05/18/2023, 6:38 PM
BTW @Zanie we just added a Snyk GitHub workflow that scans our images on each Git push and on a cronjob nightly basis (for zero day)
This allows us to know the healthiness and cyber higene of our stack any given point in time
z

Zanie

05/18/2023, 6:51 PM
Nice! We have similar things internally for our production images.
🙌 1
o

Ofir

05/18/2023, 6:58 PM
Does Prefect use ArgoCD / Flux or a traditional push based CI/CD pipeline with Helm?
z

Zanie

05/18/2023, 6:59 PM
I think we use Flux these days
o

Ofir

05/18/2023, 7:02 PM
Nice
Must be exciting working for Prefect, a beautiful project cleanly designed from scratch
When I grow old I would like to work for Prefect as product / dev 😄
z

Zanie

05/18/2023, 7:10 PM
It’s a good place to work!
It’s funny it doesn’t feel as clean now that I’ve been here for so long because I know too much and mostly interact with users complaining about bugs. It’s great to hear though 🙂
😅 2
h

Henning Holgersen

05/18/2023, 7:16 PM
Hehe… absolutely a biased sample of users.
😄 1
o

Ofir

05/18/2023, 7:20 PM
I am a CTO of a Fintech AI & data science startup company, you are welcome to connect if you want: https://www.linkedin.com/in/cohen-ofir
One day I hope to send my developers to a PrefectCon
h

Henning Holgersen

05/18/2023, 7:24 PM
Curiously, I’d see a prefectCon as a sign that prefect has failed - at keeping things simple. If there has to be a conference, there is too much to think about.
o

Ofir

05/18/2023, 7:33 PM
Or an opportunity to get together and discuss interesting use cases that Prefect might want to address
h

Henning Holgersen

05/18/2023, 7:35 PM
Good point, I see a lot of interesting use cases with ML and a gazillion parallel tasks etc.
🙌 1
z

Zanie

05/18/2023, 9:12 PM
Nice! I’d be happy to chat about your use-cases.