Refresh pinned Debian slim image digests#12892
Conversation
|
Additional context tying this PR back to the self-hosted image CVE report in #12887: This PR addresses the Debian base-image portion of that issue. The current Dockerfiles intentionally pin Debian slim image index digests here:
Those pinned values are substituted whenever the build arg resolves to How to verify the new SHAs: # Current Docker Hub index digest for bookworm-slim
docker buildx imagetools inspect debian:bookworm-slim | sed -n '1,12p'
# Expected digest in this PR:
# sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
# Current Docker Hub index digest for bullseye-slim
docker buildx imagetools inspect debian:bullseye-slim | sed -n '1,12p'
# Expected digest in this PR:
# sha256:1a4701c321b1d28b1ff5f0230e766791e4b79b1d4c6c7a70064f4b297b1a330fHow to verify this is related to the CVE report: # Old pinned base image indices from main
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
--quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
--quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:e831d9a884d63734fe3dd9c491ed9a5a3d4c6a6d32c5b14f2067357c49b0b7e1
# New pinned base image indices from this PR
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
--quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:f9c6a2fd2ddbc23e336b6257a5245e31f996953ef06cd13a59fa0a1df2d5c252
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image \
--quiet --scanners vuln --severity CRITICAL,HIGH debian@sha256:1a4701c321b1d28b1ff5f0230e766791e4b79b1d4c6c7a70064f4b297b1a330fI saw this base-image delta locally with Trivy 0.70.0:
So this does not claim to fix every finding in #12887. It is a narrow first step that removes stale Debian base-layer findings when Neon rebuilds/publishes images. The remaining findings called out in #12887, such as Go/Python/runtime dependency findings and CVEs with no upstream fix, would still need separate changes or a fresh published image after those runtimes are updated. |
|
+1 |
Summary
Refresh the pinned Debian slim index digests used by the storage image, build-tools image, and compute-node image builds.
The current pinned
bookworm-slimandbullseye-slimdigests point at older Debian image indices. Because the final runtime images are assembled from these pinned bases, rebuilding against refreshed Debian indices should reduce stale OS package findings in downstream container scanners without changing Neon application code or Dockerfile structure.Why
We run Neon self-hosted and container vulnerability scans flagged stale Debian base packages in the published
ghcr.io/neondatabase/neonandghcr.io/neondatabase/compute-node-v16images. We are temporarily using derivative images that run a Debian package refresh, but the better long-term fix is for upstream Neon images to rebuild from current pinned Debian bases so downstream users do not need to maintain forks.Validation
git diff --checkdocker buildx imagetools inspect.bookworm-slim: 2 Critical / 22 High -> 2 Critical / 10 Highbullseye-slim: 3 Critical / 27 High -> 3 Critical / 14 HighI did not run the full Neon image build locally because the compute image build is large; this PR only updates the pinned Debian index digest values used by the existing build flow.