rusackas commented on issue #23103:
URL: https://github.com/apache/superset/issues/23103#issuecomment-4537470171
Closing in favor of #40424, which captures the current state with a fresh
trivy scan and a concrete proposal.
Quick summary of what changed since this was opened in Feb 2023:
- The chart no longer uses the upstream `jwilder/dockerize` image — it's
been on `apache/superset:dockerize` (Superset-built) for a while. So the
*specific* concern (3rd-party unmaintained image) is addressed.
- However, today's trivy scan of the current published
`apache/superset:dockerize` shows we've taken on the maintenance burden and
haven't kept up:
| | |
|---|---|
| Image created | 2024-05-09 |
| Base | Alpine 3.19.1 (EOSL) |
| CRITICAL | 3 |
| HIGH | 25 |
| MEDIUM | 71 |
| LOW | 24 |
| Fixes available | 123/123 |
64 of the CVEs are in the `dockerize` Go binary itself (stale Go stdlib +
vendored `golang.org/x/{net,crypto}`); the rest are alpine base packages.
Rather than rebuild a single-purpose image on a fresher base (kicks the can
again), #40424 proposes dropping `dockerize` from the chart entirely and
replacing the four init-container TCP waits with a bash `/dev/tcp` probe
against the superset image we're already pulling. Zero new images, no external
deps, no CVE backlog separate from the main image's.
Thanks to everyone who weighed in here over the past three years — the
proposal in #40424 is essentially @villebro's suggestion from June 2024 with a
concrete migration plan.
🦕
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
