Assigned
Status Update
No update yet.
Comments
ba...@google.com
ka...@google.com
pu...@google.com
ar...@google.com
Hello,
Could you please elaborate and describe the new feature you are requesting for ?
ba...@db.com
Hello,
our company is working in a highly regulated industry. There are many requirements that urge us to keep the number vulnerabilities low. At the same time, we are deploying many dataflows which are based ongcr.io/dataflow-templates-base/java17-template-launcher-base-distroless . The repeated usage of this image, although necessary, floods our vulnerability mitigation processes and the dashboards of our regulators.
As contractually agreed upon between our company and Google as the vendor, Google needs to provide for vulnerability free template image for dataflows for us to consume. We expect that Google owns that image and releases frequent updates on base images as well as dependencies. For false positives or disputed findings, there should be a page updating the tenants on details.
Please provide an ETA on when such an image with its framework will be available for us.
The following CVEs are found in the images Google provides within libssl1.1, openssl, and libssl3:
CVE-2012-2131
This issue can be mitigated by upgrading the underlying OS according tohttps://security-tracker.debian.org/tracker/CVE-2012-2131 .
The following CVEs are found in the images Google provides within glibc and libc6
CVE-2019-1010022
CVE-2018-20796
CVE-2019-1010023
CVE-2019-9192
Providing an image for example based on Alpine with a switch to musl results in an image, that may be close to zero vulnerabilities.
Explaining again and again to our control owners and regulators that those CVEs are treated as non-security issue by the debian community costs money and time. Moreover it understandably gets more and more difficult to use images with such high severities in a productive environment.
our company is working in a highly regulated industry. There are many requirements that urge us to keep the number vulnerabilities low. At the same time, we are deploying many dataflows which are based on
As contractually agreed upon between our company and Google as the vendor, Google needs to provide for vulnerability free template image for dataflows for us to consume. We expect that Google owns that image and releases frequent updates on base images as well as dependencies. For false positives or disputed findings, there should be a page updating the tenants on details.
Please provide an ETA on when such an image with its framework will be available for us.
The following CVEs are found in the images Google provides within libssl1.1, openssl, and libssl3:
CVE-2012-2131
This issue can be mitigated by upgrading the underlying OS according to
The following CVEs are found in the images Google provides within glibc and libc6
CVE-2019-1010022
CVE-2018-20796
CVE-2019-1010023
CVE-2019-9192
Providing an image for example based on Alpine with a switch to musl results in an image, that may be close to zero vulnerabilities.
Explaining again and again to our control owners and regulators that those CVEs are treated as non-security issue by the debian community costs money and time. Moreover it understandably gets more and more difficult to use images with such high severities in a productive environment.
ar...@google.com
Hello,
Thanks for the feature request!
This has been forwarded to the Cloud Dataflow Engineering Team so that they may evaluate it. Note that there are no ETA's or guarantees of implementation for feature requests. All communication regarding this feature request is to be done here.
ar...@google.com
Hello,
can you please follow the
Description
Problem you have encountered: There are many requirements that urge customer to keep the number vulnerabilities low.
What you expected to happen:
Vulnerabilities in Dataflow Images -- Add via next update Upgrade