Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

automate CVE patches with copa #63

Open
sozercan opened this issue Jan 26, 2024 · 2 comments
Open

automate CVE patches with copa #63

sozercan opened this issue Jan 26, 2024 · 2 comments
Assignees

Comments

@sozercan
Copy link

sozercan commented Jan 26, 2024

Looks like DRA driver patches CVEs using a conditional in Dockerfile to run package manager tooling
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/container/Dockerfile.ubuntu#L54-L60
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/container/Dockerfile.ubi8#L54-L59

https://github.com/project-copacetic/copacetic is a CNCF sandbox project for a CLI tool for directly patching container images with support for multiple package managers (apt, apk, yum, etc), and distroless images. This can be set up for build time and recurringly with any cadence to automate patching.

Would maintainers be interested in integration or contribution for an integration?

@elezar

@elezar elezar self-assigned this Jan 27, 2024
@elezar
Copy link
Member

elezar commented Jan 27, 2024

Hi @sozercan. That looks interesting.

We currently depend on nvidia/cuda base images across all our components, and often lag on addressing CVEs since these have not been updated or released yet. Using something like the tools you describe to patch these images before consuming them in our projects would be useful.

I have not yet looked into the tooling in detail, but do you have a link on examples for how to automate this in github actions, for example? Note that our images are generally multi-arch images. Do the tools you mention support these too, or would we have to create the multi-arch manifest from the constituent parts after the fact?

cc @ArangoGutierrez @shivamerla @cdesiniotis

@ashnamehrotra
Copy link

Hi @elezar here is an example of a Github workflow integrating the copacetic action to automate patching: https://github.com/Azure/azure-workload-identity/blob/main/.github/workflows/patch-images.yaml. Similar to the example, you would have to create the multi-arch manifest after the patching.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants