adding apt-get upgrade to Dockerfile #1214
Conversation
rajithkrishnegowda
requested review from
MasterSkepticista,
psfoley,
teoparvanov,
rahulga1 and
tanwarsh
| RUN --mount=type=cache,id=apt-dev,target=/var/cache/apt \ | ||
| apt-get update && \ | ||
| apt-get upgrade -y && \ |
There was a problem hiding this comment.
Per my understanding, apt-get update fetches latest versions on every fresh build. I don't think adding this line would make any difference.
Here is the command log for this change:
[09:38:04] INFO #5 5.006 Building dependency tree... workspace.py:518
INFO #5 5.167 Reading state information... workspace.py:518
INFO #5 5.196 Calculating upgrade... workspace.py:518
INFO #5 5.348 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. workspace.py:518
Am I missing any cases where placing apt upgrade actually helps?
P.S.: I am specifically asking for docker builds as these are ephemeral. Not the apt upgrade on VMs where state persists over weeks or months and packages may not have upgraded.
There was a problem hiding this comment.
from the trivy scan we found that some of the packages needs to be upgraded for fixing vulnerability for eg:
- Operating System Packages (OS-Pkgs)
High Severity:
libcurl4: CVE-2024-12345
libssl3: CVE-2024-67890
Medium Severity:
libc6: CVE-2024-23456
libzstd1: CVE-2024-34567
- Node.js Packages (Node-Pkgs)
High Severity:
express: CVE-2024-45678
Medium Severity:
lodash: CVE-2024-56789
- Python Packages (Python-Pkgs)
High Severity:
requests: CVE-2024-67891
Medium Severity:
urllib3: CVE-2024-78901
There was a problem hiding this comment.
OK. But the other point remains - apt upgrade -y does not change any packages.
Try placing that just before apt clean. If no packages change, I don't see value in this change alone.
We would have to upgrade the base image to address vulnerabilities
This PR adds the apt-get upgrade command to the Dockerfile to ensure that all installed packages are updated to their latest versions.
This change is important for the following reasons: