Outdated distroless base image version has many CVEs

[jtse]

🐞 bug report

Affected Rule

The issue affects go_image, cc_image and probably other *_images.

Is this a regression?

Not really.

Description

The current release v0.25.0 references old versions of distroless base images (2021-12). Users who are building off the default base images are inadvertently using 1+ year old distroless that contain many CVEs. Specifically, this affects users who are copy-pasting

load(
    "@io_bazel_rules_docker//go:image.bzl",
    _go_image_repos = "repositories",
)

_go_image_repos()

And not specifying a base = ... in their go_image.

Please release a new version of rules_docker with updated the distroless image version.

Alternatively, remove repositories() from go:image.bzl and others. This will mean that users will have to explicitly specify a base image/version.

🔬 Minimal Reproduction

1. Follow the instructions on https://github.com/bazelbuild/rules_docker#go_image to build a go_image without specifying a base = ...

2. Upload the go_image to Google Container Repository.

🔥 Exception or Error

Google Container Repository reports the following CVEs:

CVE-2022-1292 Critical 10 Yes openssl OS
CVE-2022-2068 Critical 10 Yes openssl OS
CVE-2022-23219 High 7.5 Yes glibc OS
CVE-2021-3999 High 7.8 Yes glibc OS
CVE-2021-33574 High 7.5 Yes glibc OS
CVE-2022-23218 High 7.5 Yes glibc OS
CVE-2021-4160 Medium 4.3 Yes openssl OS
CVE-2022-2097 Medium 5 – openssl OS
CVE-2022-0778 Medium 5 Yes openssl OS
CVE-2019-1010023 Low 6.8 – glibc OS
CVE-2021-43396 Low 5 Yes glibc OS
CVE-2019-1010022 Low 7.5 – glibc OS
CVE-2018-20796 Low 5 – glibc OS
CVE-2010-0928 Low 4 – openssl OS
CVE-2007-6755 Low 5.8 – openssl OS
CVE-2019-9192 Low 5 – glibc OS
CVE-2010-4756 Low 4 – glibc OS
CVE-2019-1010024 Low 5 – glibc OS
CVE-2019-1010025 Low 5 – glibc OS

🌍 Your Environment

Operating System:

  
  N/A
  

Output of bazel version:

  
  N/A
  

Rules_docker version:

  
  v0.25.0 -- latest as of 2023-01-04
  

Anything else relevant?

[sudoforge]

I'd be a big fan of requiring users to set an explicit base. I'll submit a PR for this later today.

[ensonic]

@sudoforge did you submit a PR. is your proposal to let users specify the distroless base inter WORKSPACE (repository rule) or on each xx_image rule?

[ensonic]

What about a release with freshly bumped base to buy some time. In the current form the rules are unusable :/

[alexeagle]

FWIW, rules_oci has convenient logic for you just specify latest in the oci_pull rule and it gives you the command to "repin" it https://github.com/bazel-contrib/rules_oci/blob/main/oci/pull.bzl#L372-L378

[github-actions]

This issue has been automatically marked as stale because it has not had any activity for 180 days. It will be closed if no further activity occurs in 30 days.
Collaborators can add an assignee to keep this open indefinitely. Thanks for your contributions to rules_docker!

[ensonic]

The issue is still there, but we've switched to rules_oci entirely.