Skip to content

Reduce image CVEs by switching to minimal base and cleanup build chain #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
talkraghu wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Reduce image CVEs by switching to minimal base and cleanup build chain #19

talkraghu wants to merge 2 commits into from

Conversation

@talkraghu
Copy link

@talkraghu talkraghu commented Jun 30, 2025
edited
Loading

Summary
This PR improves the build reproducibility and mitigates potential risk from upstream CVEs by switching the base build image from gcc:latest to gcc:13.

Background
The previous Dockerfile used gcc:latest as the base image for building DRBD utilities. Using a floating tag can inadvertently introduce new vulnerabilities over time and lead to unpredictable build behavior. Pinning the image to gcc:13 ensures a stable, auditable, and more secure build environment.

Testing Performed
Rebuilt the image locally with gcc:13.
Scanned using grype: 0 Critical CVEs and 9 High CVEs, all originating from libxml2 and python3 in the UBI 9 runtime base image.

Functional verification:
drbd-shutdown-guard --help displays usage correctly.
drbd-shutdown-guard's initcontainer at satellite-node pod is completing well.

@talkraghu talkraghu force-pushed the fix/update-packages branch from 24dcf16 to 8237adc Compare June 30, 2025 17:46
WanzenBug
WanzenBug requested changes Jul 1, 2025
View reviewed changes
@WanzenBug WanzenBug linked an issue Jul 1, 2025 that may be closed by this pull request
Request for updated drbd-shutdown-guard Image Due to Multiple High and Critical CVEs #18
Open
@talkraghu talkraghu force-pushed the fix/update-packages branch from 711b82b to 52cfdca Compare July 1, 2025 08:13
@talkraghu
Copy link
Author

talkraghu commented Jul 1, 2025

With this change, the scan on the docker image shows NO critical CVE's

There are a few HIGH CVE's though (listed below) (which should be fine)
python3 3.9.21-2.el9 rpm CVE-2025-4517 High 27.56 < 0.1
python3-libs 3.9.21-2.el9 rpm CVE-2025-4517 High 27.56 < 0.1
python3 3.9.21-2.el9 rpm CVE-2025-4138 High 26.27 < 0.1
python3-libs 3.9.21-2.el9 rpm CVE-2025-4138 High 26.27 < 0.1
libxml2 2.9.13-9.el9_6 rpm CVE-2025-49794 High 21.33 < 0.1
python3 3.9.21-2.el9 rpm CVE-2024-12718 High 19.88 < 0.1
python3-libs 3.9.21-2.el9 rpm CVE-2024-12718 High 19.88 < 0.1
libxml2 2.9.13-9.el9_6 rpm CVE-2025-49796 High 16.24 < 0.1
libxml2 2.9.13-9.el9_6 rpm CVE-2025-49795 High 16.24 < 0.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@WanzenBug WanzenBug WanzenBug requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Request for updated drbd-shutdown-guard Image Due to Multiple High and Critical CVEs

2 participants

@talkraghu @WanzenBug