is there any reason robusta has to stick with python 3.9?

[tuananh-vpbank]

is there any reason robusta need to stick with python 3.9.

i know that python 3.9 still more than a year left til EOL but the base image has way too many known CVEs. It would be awesome if we can update to a more secure base image.

[github-actions]

Hi 👋, thanks for opening an issue! Please note, it may take some time for us to respond, but we'll get back to you as soon as we can!

• 💬 Slack Community: Join Robusta team and other contributors on Slack here.
• 📖 Docs: Find our documentation here.
• 🎥 YouTube Channel: Watch our videos here.

[aantn]

Hi @tuananh-vpbank,
We're planning to handle the CVEs soon, either by updating to the latest python or staying with python 3.9 and changing the base image. Hope to update soon!

[aantn]

And to answer your original question, I don't think there's a fundamental reason to stay w/ 3.9. Just requires testing and verifying that there isn't an issue with any of the dependencies.

[Flou21]

is there a concrete plan to fix / release this
the issue #819 has been open for a year without any feedback

I really like using robusta and think it's a bummer that this problem exists at all

[aantn]

Yes, we plan to fix it in the next few weeks. I've discussed internally and we're prioritizing this.

[arikalon1]

Hi @tuananh-vpbank , @Flou21

Today we released version 0.14.0 which changed to python 3.11
In addition, we upgraded all the packages that had CVEs

[Flou21]

many thanks for the update
looks much better now than before

neuvector tells me that high vulnerabilities have gone down from 139 to 63 and medium vulnerabilities from 581 to 83

so not perfect yet, but thanks for the update I really appreciate it

[arikalon1]

thanks for the feedback @Flou21

We scanned the image with gcr image scanning, and snyk and it shows only 6 CVEs with severity medium or above.
I'm not sure why the results are so different

[Flou21]

Thanks for the information @arikalon1
I'm a bit surprised myself.

I use Neuvector to scan all container images in my Kubernetes clusters.
And trivy for manual scans and as a step in CI pipelines

I think the biggest problem is the base image rather than robusta itself
The python base image itself already has 116 vulnerabilities (scanner: trivy)

microgenv2:~ # trivy image python:3.11-slim
2024-06-27T11:12:45+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:12:45+02:00       INFO    Secret scanning is enabled
2024-06-27T11:12:45+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:12:45+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:12:47+02:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pip" version="24.0"
2024-06-27T11:12:49+02:00       INFO    Detected OS     family="debian" version="12.5"
2024-06-27T11:12:49+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=106
2024-06-27T11:12:49+02:00       INFO    Number of language-specific files       num=1
2024-06-27T11:12:49+02:00       INFO    [python-pkg] Detecting vulnerabilities...

python:3.11-slim (debian 12.5)

Total: 116 (UNKNOWN: 0, LOW: 67, MEDIUM: 37, HIGH: 11, CRITICAL: 1)

And the robusta image 204 with trivy

microgenv2:~ # trivy image robustadev/robusta-runner:0.14.0
2024-06-27T11:13:58+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:13:58+02:00       INFO    Secret scanning is enabled
2024-06-27T11:13:58+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:13:58+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:13:59+02:00       INFO    Detected OS     family="debian" version="12.5"
2024-06-27T11:13:59+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=154
2024-06-27T11:13:59+02:00       INFO    Number of language-specific files       num=1
2024-06-27T11:13:59+02:00       INFO    [python-pkg] Detecting vulnerabilities...

robustadev/robusta-runner:0.14.0 (debian 12.5)

Total: 204 (UNKNOWN: 0, LOW: 134, MEDIUM: 41, HIGH: 26, CRITICAL: 3)

I still don't understand why the official python image has so many vulnerabilities

The newer python:3.12-slim python image also has quite a few

microgenv2:~ # trivy image python:3.12-slim
2024-06-27T11:18:24+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:18:24+02:00       INFO    Secret scanning is enabled
2024-06-27T11:18:24+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:18:24+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:18:27+02:00       INFO    [python] License acquired from METADATA classifiers may be subject to additional terms  name="pip" version="24.0"
2024-06-27T11:18:28+02:00       INFO    Detected OS     family="debian" version="12.5"
2024-06-27T11:18:28+02:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=106
2024-06-27T11:18:28+02:00       INFO    Number of language-specific files       num=1
2024-06-27T11:18:28+02:00       INFO    [python-pkg] Detecting vulnerabilities...

python:3.12-slim (debian 12.5)

Total: 116 (UNKNOWN: 0, LOW: 67, MEDIUM: 37, HIGH: 11, CRITICAL: 1)

More vulnerabilities were also identified in this Snyk WebUI: https://snyk.io/test/docker/python%3A3.11-slim

docker hub itself shows less: https://hub.docker.com/layers/library/python/3.11-slim/images/sha256-5a669c7aa9c6d3565ec2d1d50a8344696860ddabb7b8a8f64cfdd38cc932b172?context=explore

There are other base images with less / no vulnerabilities.
But the official docker hub images seem to have a relatively big problem
This is the image I use most of the time:

microgenv2:~ # trivy image registry.suse.com/bci/python:3.12
2024-06-27T11:35:41+02:00       INFO    Vulnerability scanning is enabled
2024-06-27T11:35:41+02:00       INFO    Secret scanning is enabled
2024-06-27T11:35:41+02:00       INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T11:35:41+02:00       INFO    Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T11:35:42+02:00       INFO    Detected OS     family="suse linux enterprise server" version="15.6"
2024-06-27T11:35:42+02:00       WARN    This OS version is not on the EOL list  family="suse linux enterprise server" version="15.6"
2024-06-27T11:35:42+02:00       INFO    [suse linux enterprise server] Detecting vulnerabilities...     os_version="15.6" pkg_num=166
2024-06-27T11:35:42+02:00       INFO    Number of language-specific files       num=0

registry.suse.com/bci/python:3.12 (suse linux enterprise server 15.6)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

I think the issue can be closed.
more than updating the base image should not be done.
maybe something else can be done in the future