> Does the beam project generally attempt to address as many of these vulnerabilities?
Beam does not retroactively patch released container images, but we use the latest available docker base images during each Beam release. Many vulnerabilities concern software packages preinstalled in the Docker base layer (currently we use Debian bookworm). Such packages are not necessarily used over the course of running a Beam pipeline, so some attack vectors are not applicable but of course it would depend on a particular vulnerability. Note that Beam users can supply custom container images to use in their pipeline. For example, one can create an image based on 'distroless' distribution [1], which would significantly reduce the number of preinstalled packages. For more information on customizing container images, see [2] [3]. [1] ttps://github.com/GoogleContainerTools/distroless [2] https://beam.apache.org/documentation/runtime/environments/ [3] https://cloud.google.com/dataflow/docs/guides/build-container-image On Tue, Jan 23, 2024 at 1:30 PM 8 Gianfortoni <8...@tokentransit.com> wrote: > Hi team, > > We recently starting using the Google Artifact Registry's container > scanning, and have been able to fix almost all critical vulnerabilities > across our codebase. The one exception is the docker container created when > we deploy our dataflow beam jobs. > > The "critical" vulnerability reported is > https://security-tracker.debian.org/tracker/CVE-2023-45853, and we are > using Apache Beam golang v2.53.0. I cannot tell whether this is something > that is even easily fixable in the docker setup or whether beam is even > affected by this issue. > > Has anyone else run into this issue? Would a beam dataflow job actually be > affected or is this more relevant for someone actually running servers on > this particular version of debian? Should we just be ignoring this > "critical" vulnerability since it is just in the docker container for a > couple of batch jobs? Does the beam project generally attempt to address as > many of these vulnerabilities? > > Best, > 8 > Token Transit >
