web: Update docker node from 24 to 24-alpine#23684
Conversation
tygyh
force-pushed
the
snyk-fix-e3bcd36fc31c26cfe0dd18d4f428b9a1
branch
from
1535a9b to
20d4f46
Compare
| # docker build --tag ruffle-web-docker -f web/docker/Dockerfile . | ||
| # docker cp $(docker create ruffle-web-docker:latest):/ruffle/web/packages web/docker/docker_builds/packages | ||
| FROM node:24 | ||
| FROM node:24.15.0-alpine3.23 |
There was a problem hiding this comment.
This image is not used in production, it's used for building.
There was a problem hiding this comment.
Does that mean this PR is not relevant?
There was a problem hiding this comment.
It means that these vulnerabilities can be exploited only during building.
For this specific Dockerfile, it means that https://github.com/WebAssembly/binaryen, https://sh.rustup.rs, a crate, or this repo would have to be malicious. We have to assume this repo cannot be malicious (the Dockerfile is a part of this repo). If a crate is malicious, we're doomed anyway. Even if https://github.com/WebAssembly/binaryen or https://sh.rustup.rs becomes malicious, how do they exploit a vulnerability in the image? In order to break out of the container they would have to exploit a vulnerability in dockerd or the kernel (which are not a part of the image). Without breaking out of the container they can do malicious stuff inside the container, which in this case means producing malicious outputs. But even without vulnerabilities in the image they can easily do that. Now, assuming that they can somehow exploit a vulnerability in the image—they run as root, so they can do whatever they want inside the image anyway.
So the possible vectors are extremely limited; I'm not even convinced there are any.
However, we might want to change the base image due to completely different reasons: build reproducibility and image size. Alpine is smaller, and pinning the version means that we cannot (or at least the probability is smaller) get a different image at different points in time. For that, there's the question of whether switching to Alpine won't break anything and whether we care about build reproducibility. I think @torokati44 knows more about these things.
If you really care about making the build image more secure you could: (1) add checksum checks for binaryen, and (2) install rust through the package manager and not rustup. This will make sure we're downloading what we expect inside the image. Option (2) is more difficult because node:24 uses Debian, which has ancient packages, so we would have to switch the distro anyway.
There was a problem hiding this comment.
This Dockerfile is not even used by us at all: it's provided only for the convenience and as compensation for lack of competence or concern for the reviewers at the Firefox add-on store (AMO).
I do remember them having issues with running out of disk space on their VMs they use to check the addons, and we even had to take some steps to alleviate this for them. So, if we can use a smaller base image with no issues, that would be nice also. Although, this hasn't been a problem for a while now, I think.
And about version pinning: this also hasn't been a problem, and I think we have enough lockfiles and pins in place that we can go with just node:24-alpine here, for the time being. That won't have to be bumped (and forgotten to be bumped) so often.
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-DEBIAN12-IMAGEMAGICK-5660573 - https://snyk.io/vuln/SNYK-DEBIAN12-IMAGEMAGICK-5660573 - https://snyk.io/vuln/SNYK-DEBIAN12-IMAGEMAGICK-5660573 - https://snyk.io/vuln/SNYK-DEBIAN12-IMAGEMAGICK-5660573 - https://snyk.io/vuln/SNYK-DEBIAN12-IMAGEMAGICK-5660573
tygyh
force-pushed
the
snyk-fix-e3bcd36fc31c26cfe0dd18d4f428b9a1
branch
from
20d4f46 to
c37b7ca
Compare
|
Could you please manually trigger the "Test extension builder Dockerfile" workflow in your fork, for the branch that's the source of this PR, and link the run here? |
tygyh
force-pushed
the
snyk-fix-e3bcd36fc31c26cfe0dd18d4f428b9a1
branch
from
c37b7ca to
1dff169
Compare
tygyh
changed the title
|
Seems like |
tygyh
force-pushed
the
snyk-fix-e3bcd36fc31c26cfe0dd18d4f428b9a1
branch
from
1dff169 to
a15a350
Compare
tygyh
force-pushed
the
snyk-fix-e3bcd36fc31c26cfe0dd18d4f428b9a1
branch
from
a15a350 to
afcc708
Compare
|
The (compressed) base image size goes from 389.14 MB to 54.01 MB with this: EDIT: Although the |
|
I don't think we are actually reducing vulnerabilities, I think this is a security no-op. If you want to reduce vulnerabilities, you can make the dockerfile not download unchecked executables from the internet. Then, and only then, we can start caring about tar and wget vulnerabilities. |
|
I changed the description to get this done. I don't know how to do any of the other suggested changes, so let's leave it like this for now. :) |
4 participants
Description
Switch to alpine since it is smaller
Checklist