Hello, >From time to time we get users reporting that the docker image we use to build Prometheus contain a Busybox vulnerability:
https://github.com/prometheus/node_exporter/issues/1937 https://github.com/prometheus/prometheus/issues/8277 https://github.com/prometheus/prometheus/issues/7794 We have a few options here: 1. ignoring those reports as there is no evidence that this can be used without first getting shell access into the container. 2. removing wget from the container 3. switching to a base image that does not contain the fix, e.g. alpine 4. only shipping our binaries and a few other files (from scratch or from distroless-static https://github.com/GoogleContainerTools/distroless/blob/master/base/README.md ) My thinking: 1. This is (was) the current strategy. And clearly, scanners do not care that Prometheus uses or does not use the said binaries. However, in security, less attack surface is always positive. 2. Even if we remove /bin/wget, it can still be invoked by calling /bin/busybox wget 3. Alpine etc would increase the surface, require rebuild a lot more often than busybox. 4. Distroless static seems to be what we have now (takes certs etc from debian), without busybox. The advantage here would be that we can simply stop using prometheus/busybox, and we would have updated upstreams images all the time. So I'd go and investigate distroless base image in the future. -- Julien Pivotto @roidelapluie -- You received this message because you are subscribed to the Google Groups "Prometheus Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-developers/20210131162630.GA13747%40oxygen.
