Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Postgres 16.2 -> 16.4 #1543

Merged
merged 1 commit into from
Sep 4, 2024
Merged

Update Postgres 16.2 -> 16.4 #1543

merged 1 commit into from
Sep 4, 2024

Conversation

dandelany
Copy link
Collaborator

@dandelany dandelany commented Sep 3, 2024
edited
Loading

Upgrading Postgres from 16.2 to 16.4, since 16.2 has known security issues that flag our vulnerability scanner. Submitting a PR as a draft for now to see if it breaks any CI tests & if it fixes the "scan" step of the Publish workflow.

Per Postgres Docs I think this should be a safe change that does not require dump/restore or any other instructions/considerations, but let me know if you have any concerns with this, @Mythicaeda

@dandelany dandelany added the publish Tells GH to publish docker images for this PR label Sep 3, 2024
@skovati
Copy link
Contributor

skovati commented Sep 3, 2024
edited
Loading

The issue isn't really with postgres, but rather than the debian version (bookworm) that the postgres image is based on includes Go v1.18.2 (since the image installs a small util called gosu), which has a few critical CVEs.

These are basically false positives as far as I understand.

See also: docker-library/postgres#1223

It doesn't look like this small util cuts releases often, so we might have this failing check for a while. We can suppress these few CVEs if desired.

All that being said, we should definitely keep up with postgres patch releases.

@dandelany
Copy link
Collaborator Author

Thanks for the context @skovati - I know the issue(s) are in a deeper layer of the Debian stack but I was hoping the official postgres 16.4 image would also include updates to these underlying dependencies...

  • I was hoping to use the checks on this PR to determine if that was true, however I realized the scan workflow is hardcoded to scan the develop aerie images. I've temporarily changed it & hardcoded it to scan the pr-1543 tag (ie. the one published by this repo) to "preview" the results but will need to change this back before merging. Maybe we can make this dynamically use the correct tag for the PR when available? I haven't thought about it too hard.
  • The failing scan on develop had two vulnerabilities - one with Debian krb5 (Kerberos) dependency and one with gobinary. In the new scan, the gobinary issue is still present but the Debian/krb5 one appears to be fixed, so I think this is probably still worth merging (see scan output screenshots below)
  • I'm still trying to understand the gosu/gobinary thing and confirm whether it is the same as the issue you linked. It feels like we should have some way to define/ignore false positives in our scan - it's annoying to have it failing all the time...
image image

Mythicaeda
Mythicaeda approved these changes Sep 4, 2024
View reviewed changes
Copy link
Contributor

@Mythicaeda Mythicaeda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As you and Luke said, users don't need to do any work to upgrade their DBs, and we should remain on the latest patch, especially as I don't see any potential issues with the changes.

@dandelany dandelany force-pushed the update/postgres-16-4 branch from 1425fc7 to 3fd5307 Compare September 4, 2024 00:28
@dandelany dandelany force-pushed the update/postgres-16-4 branch from 3fd5307 to a6c28df Compare September 4, 2024 00:29
@dandelany
Copy link
Collaborator Author

Thanks @Mythicaeda -

  • Seems like this is a good change, so I've reverted hardcoding pr-1543 back to develop in publish.yml, squashed, rebased, & will merge when tests pass.
  • After some more research I'm convinced the gobinary/gosu issues are indeed false positives, and I think I have a lead on how to ignore them in the scan, but will do that in a separate PR so as not to muddy the waters.

@dandelany dandelany marked this pull request as ready for review September 4, 2024 00:34
@dandelany dandelany requested a review from a team as a code owner September 4, 2024 00:34
@dandelany dandelany merged commit 9d2cd88 into develop Sep 4, 2024
21 of 22 checks passed
@dandelany dandelany deleted the update/postgres-16-4 branch September 4, 2024 00:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mythicaeda Mythicaeda Mythicaeda approved these changes

@joswig joswig Awaiting requested review from joswig joswig is a code owner automatically assigned from NASA-AMMOS/aerie-backend

@adrienmaillard adrienmaillard Awaiting requested review from adrienmaillard adrienmaillard is a code owner automatically assigned from NASA-AMMOS/aerie-backend

Assignees
No one assigned
Labels
publish Tells GH to publish docker images for this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@dandelany @skovati @Mythicaeda