From 01d10ff60ceb20a8e2bb244846135cde7c091a4f Mon Sep 17 00:00:00 2001 From: lostluck <13907733+lostluck@users.noreply.github.com> Date: Fri, 12 Jan 2024 15:32:28 -0800 Subject: [PATCH 1/4] [Go SDK] Use distroless:debian12 (no-ssl) as base image. --- CHANGES.md | 2 ++ sdks/go/container/Dockerfile | 15 +-------------- 2 files changed, 3 insertions(+), 14 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index c63464a6e01e..ee91e9155fc9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,6 +82,8 @@ ## Security Fixes * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)). +* Go SDK base container image moved to distroless/base-debian12, reducing vulnerable container surface ([#Y](https://github.com/apache/beam/issues/Y)). + * Fixes (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Go) ## Known Issues diff --git a/sdks/go/container/Dockerfile b/sdks/go/container/Dockerfile index 7f1884cfb719..b3b2fbbec3a9 100644 --- a/sdks/go/container/Dockerfile +++ b/sdks/go/container/Dockerfile @@ -16,20 +16,12 @@ # limitations under the License. ############################################################################### -FROM debian:bookworm +FROM gcr.io/distroless/base-nossl-debian12:latest LABEL Author "Apache Beam " ARG TARGETOS ARG TARGETARCH -ARG pull_licenses - -RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y \ - ca-certificates \ - && \ - rm -rf /var/lib/apt/lists/* - ADD target/${TARGETOS}_${TARGETARCH}/boot /opt/apache/beam/ COPY target/LICENSE /opt/apache/beam/ @@ -37,9 +29,4 @@ COPY target/NOTICE /opt/apache/beam/ # Add Go licenses. COPY target/go-licenses/* /opt/apache/beam/third_party_licenses/golang/ -RUN if [ "$pull_licenses" = "false" ] ; then \ - # Remove above golang license and dir if pull licenses false - rm -rf /opt/apache/beam/third_party_licenses ; \ - fi - ENTRYPOINT ["/opt/apache/beam/boot"] From 29dc8618f9cce2ae445c37e009a7acf6537cb6ad Mon Sep 17 00:00:00 2001 From: lostluck <13907733+lostluck@users.noreply.github.com> Date: Fri, 12 Jan 2024 16:00:15 -0800 Subject: [PATCH 2/4] ws lint --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index ee91e9155fc9..5671d321b3ae 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -83,7 +83,7 @@ ## Security Fixes * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)). * Go SDK base container image moved to distroless/base-debian12, reducing vulnerable container surface ([#Y](https://github.com/apache/beam/issues/Y)). - * Fixes (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Go) + * Fixes (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Go) ## Known Issues From c238eda016fc987e234a7e13888e0876e32beb9b Mon Sep 17 00:00:00 2001 From: lostluck <13907733+lostluck@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:52:50 -0800 Subject: [PATCH 3/4] Update changes --- CHANGES.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 5671d321b3ae..50649b2200cb 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,8 +82,7 @@ ## Security Fixes * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)). -* Go SDK base container image moved to distroless/base-debian12, reducing vulnerable container surface ([#Y](https://github.com/apache/beam/issues/Y)). - * Fixes (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Go) +* Go SDK base container image moved to distroless/base-nossl-debian12, reducing vulnerable container surface to kernel and glibc([#30011](https://github.com/apache/beam/pull/30011)). ## Known Issues From ac8e7d8c4dbb0715d7c8537339233a309ffa62e8 Mon Sep 17 00:00:00 2001 From: lostluck <13907733+lostluck@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:53:38 -0800 Subject: [PATCH 4/4] add space --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 50649b2200cb..bb1dd5a117a4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -82,7 +82,7 @@ ## Security Fixes * Fixed (CVE-YYYY-NNNN)[https://www.cve.org/CVERecord?id=CVE-YYYY-NNNN] (Java/Python/Go) ([#X](https://github.com/apache/beam/issues/X)). -* Go SDK base container image moved to distroless/base-nossl-debian12, reducing vulnerable container surface to kernel and glibc([#30011](https://github.com/apache/beam/pull/30011)). +* Go SDK base container image moved to distroless/base-nossl-debian12, reducing vulnerable container surface to kernel and glibc ([#30011](https://github.com/apache/beam/pull/30011)). ## Known Issues