Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

superset helm uses dockerize image which is unsupported (last release 7 years ago) and has CVEs #23103

Open
tooptoop4 opened this issue Feb 17, 2023 · 6 comments
Open

superset helm uses dockerize image which is unsupported (last release 7 years ago) and has CVEs #23103

tooptoop4 opened this issue Feb 17, 2023 · 6 comments
Assignees
@dpgaspar @villebro
Labels
#bug Bug report validation:required A committer should validate the issue

Comments

@tooptoop4
Copy link
Contributor

https://github.com/apache/superset/releases/download/superset-helm-chart-0.8.6/superset-0.8.6.tgz has references to jwilder/dockerize image/commands

https://github.com/jwilder/dockerize shows no new release for many years

following tools/CVEs are found within the dockerize image:

busybox 1.26.2-r4 has
CVE-2015-9261
CVE-2017-15873
CVE-2017-16544
CVE-2018-1000500
CVE-2018-1000517
CVE-2018-20679
CVE-2019-5747
CVE-2021-42376
CVE-2021-42378
CVE-2021-42379
CVE-2021-42381
CVE-2021-42382
CVE-2021-42384
CVE-2021-42385
CVE-2021-42386
CVE-2022-28391

musl 1.1.16-r9 has
CVE-2017-15650
CVE-2019-14697
CVE-2020-28928
@tooptoop4 tooptoop4 added the #bug Bug report label Feb 17, 2023
@sfirke
Copy link
Member

sfirke commented Feb 6, 2024

@tooptoop4 I see https://github.com/jwilder/dockerize has merged PRs into the repo more recently now and its most recent release seems to be in May 2023. Is this still a concern or can this issue be closed?

@sfirke sfirke added the validation:required A committer should validate the issue label Feb 6, 2024
@dpgaspar
Copy link
Member

dpgaspar commented Feb 6, 2024

@tooptoop4 I see https://github.com/jwilder/dockerize has merged PRs into the repo more recently now and its most recent release seems to be in May 2023. Is this still a concern or can this issue be closed?

Still a concern, we should eventually remove this dependency, I think we just use it to test PG and redis availability on helm

@rusackas
Copy link
Member

rusackas commented Jun 3, 2024

Does anyone here (cc @mistercrunch) know of any viable alternatives?

@mistercrunch
Copy link
Member

While working on docker-related things I remember thinking "what does this do!?", and it's something about waiting for services to get up before starting other services. Asking GPT there are drop-in replacements like wait-for-it and dockerize-golang but given our experience with dockerize, I think the best would be to go helm or k8s-native with something like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: superset
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: superset
    spec:
      initContainers:
      - name: wait-for-db
        image: busybox
        command: ['sh', '-c', 'until nc -z db 5432; do echo waiting for db; sleep 2; done;']
      - name: wait-for-redis
        image: busybox
        command: ['sh', '-c', 'until nc -z redis 6379; do echo waiting for redis; sleep 2; done;']
      containers:
      - name: superset
        image: apache/superset:latest
        ports:
        - containerPort: 8088

@villebro
Copy link
Member

villebro commented Jun 6, 2024

@mistercrunch I agree, this would be much cleaner and easier to reason about. Another alternative would be to have a few new scripts (similar to superset_init.sh) for checking metastore/cache readiness, and then just use the superset image to avoid pulling in busybox (after all, it'll already be available). But I don't see busybox going sour or bloating anytime soon, so I think this is a really good approach.

@tooptoop4
Copy link
Contributor Author

🦕

@tooptoop4 tooptoop4 closed this as not planned Won't fix, can't repro, duplicate, stale Oct 19, 2024
@tooptoop4 tooptoop4 changed the title superset helm uses dockerize image which is unsupported (last release 6 years ago) and has CVEs superset helm uses dockerize image which is unsupported (last release 7 years ago) and has CVEs Oct 19, 2024
@mistercrunch mistercrunch reopened this Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dpgaspar dpgaspar

@villebro villebro

Labels
#bug Bug report validation:required A committer should validate the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mistercrunch @rusackas @dpgaspar @sfirke @tooptoop4 @villebro