ci: fix s360 security vulnerability#25876
Conversation
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
There was a problem hiding this comment.
Pull request overview
This PR aims to address reported S360 security vulnerabilities by updating selected dependency versions used by the docker-ptf build and its published version manifest.
Changes:
- Bump
pipandsetuptoolsversions in thedocker-ptfpy3 versions manifest. - Update
docker-ptfimage build inputs (grpcurl, ipython, tac_plus, protobuf pin, gnoic). - Update the gnxi patch to require a newer
protobufforgnmi_cli_py.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| files/build/versions-public/dockers/docker-ptf/versions-py3 | Updates published python package versions for docker-ptf py3. |
| dockers/docker-ptf/gnxi-patches/0005-Enhance-gnmi_cli_py-4.patch | Updates gnxi gnmi_cli_py requirements (protobuf) in the applied patch. |
| dockers/docker-ptf/Dockerfile.j2 | Updates several pinned tool/component versions and adjusts protobuf pinning behavior. |
Comments suppressed due to low confidence (1)
dockers/docker-ptf/Dockerfile.j2:115
- This Dockerfile downloads the
grpcurlbinary directly from GitHub usingcurland installs it into the image without any integrity verification (no checksum or signature check). If the upstream GitHub release or the network path is compromised, a malicious binary could be embedded into the container and later executed with its privileges. To harden the supply chain, pin this download to a specific immutable artifact and verify its integrity (for example by checking a known SHA-256 digest) before installing.
&& GRPCURL_VERSION=1.9.3 && \
curl -L "https://github.com/fullstorydev/grpcurl/releases/download/v${GRPCURL_VERSION}/grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz" \
-o /tmp/grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz && \
cd /tmp && \
tar xvf grpcurl_${GRPCURL_VERSION}_${GRPCURL_ARCH}.tar.gz && \
mv grpcurl /usr/local/bin/grpcurl && \
chmod +x /usr/local/bin/grpcurl && \
Signed-off-by: Austin Pham <austinpham@microsoft.com>
auspham
force-pushed
the
austinpham/36979761-s360-resolve
branch
from
f9428e8 to
d9f6707
Compare
|
/azp run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| pip==25.3 | ||
| plumbum==1.10.0 | ||
| prompt-toolkit==1.0.18 | ||
| prompt_toolkit==3.0.52 | ||
| protobuf==3.20.3 | ||
| protobuf==5.29.5 |
There was a problem hiding this comment.
PR description mentions addressing vulnerabilities in multiple images (docker-ptf, debian, docker-sonic-mgmt), but this change set appears to only touch docker-ptf-related version pins and a shared Dockerfile macro. Please either include the missing image updates or adjust the PR description/scope so it matches what’s actually being fixed.
| +grpcio==1.41.1 | ||
| +grpcio-tools==1.41.1 | ||
| protobuf==3.6.1 --no-binary=protobuf | ||
| protobuf==3.18.3 --no-binary=protobuf |
There was a problem hiding this comment.
gnmi_cli_py/requirements.txt is pinned to protobuf==3.18.3 (<=3.20.x), while other parts of this PR bump protobuf to 5.29.5. If gnmi_cli_py is used in the same environment as those other pins, pip will either error on dependency conflicts or silently downgrade protobuf. Please ensure the protobuf version strategy is consistent across docker-ptf (and that gnmi tests still work).
| protobuf==3.18.3 --no-binary=protobuf | |
| -protobuf==3.18.3 --no-binary=protobuf | |
| +protobuf==5.29.5 --no-binary=protobuf |
| # gnxi/gnmi_cli_py requires protobuf 3.20.x or lower | ||
| # Bookworm by default use 5.29.x. Resetting it to 3.20.3 | ||
| # Bookworm by default use 5.29.x. Resetting it to 5.29.5 | ||
| # to avoid issues with gnmi tests. | ||
| RUN set -e; \ | ||
| . /etc/os-release; \ | ||
| if [ "$VERSION_CODENAME" = "bookworm" ]; then \ | ||
| pip install protobuf==3.20.3; \ | ||
| pip install protobuf==5.29.5; \ | ||
| else \ |
There was a problem hiding this comment.
The protobuf pin here contradicts the preceding comment and likely breaks the stated gnxi/gnmi_cli_py requirement ("protobuf 3.20.x or lower"). Currently Bookworm is forced to protobuf==5.29.5, which is >3.20.x; please either (a) keep protobuf pinned to a compatible <=3.20.x version, or (b) update gnxi/gnmi_cli_py (and the comment) to be compatible with protobuf 5.29.x so gnmi tests won’t fail.
| prompt-toolkit==1.0.18 | ||
| prompt_toolkit==3.0.52 | ||
| protobuf==3.20.3 | ||
| protobuf==5.29.5 |
There was a problem hiding this comment.
This file now pins protobuf==5.29.5, but docker-ptf still contains logic/comments indicating gnxi/gnmi_cli_py requires protobuf 3.20.x or lower. If docker-ptf’s runtime environment is expected to support gnmi tests, these pins need to be aligned (either update gnxi to support 5.29.x, or keep protobuf pinned to <=3.20.x here).
| protobuf==5.29.5 | |
| protobuf==3.20.3 |
Why I did it
Due to the recent s360 vulnerability reports. This PR is needed to address the problems. We have vulnerability in the follow image:
Work item tracking
How I did it
Apply the recommended version from security report
How to verify it
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)