As a developer, I want to ensure image dependencies are secure

[nutjob4life]

Checked for duplicates

Yes - I've already checked

🧑‍🔬 User Persona(s)

Devops

💪 Motivation

...so that I can ensure the dependencies used in container images are secure and up-to-date.

A scanning tool such as Grype can ensure that package dependencies, operating system versions, and language-specific vulnerabilities do not end up in generated images. Combined with a pre-commit hook, this can prevent such security problems from proliferating into distributed images. GitHub Actions can ensure the safety of such images from contributions made without pre-commit hooks.

The SLIM community has an in-progress guide describing just this.

📖 Additional Details

No response

Acceptance Criteria

Given
When I perform
Then I expect

⚙️ Engineering Details

No response

🎉 I&T

No response

[riverma]

Awesome @nutjob4life - interested to hear your experience with this tool and guide. SLIM is currently collecting feedback on how to improve the guide before we publish it to our site.

[tloubrieu-jpl]

Starting with validate.

[tloubrieu-jpl]

validate has many dependencies, some of them have vulnerabiliies.

[jordanpadams]

@tloubrieu-jpl @nutjob4life do validate dependencies have vulnerabilities? between dependabot and sonatype, I am surprised we have not caught these. I monitor these closely.

[nutjob4life]

@jordanpadams, yes, validate depended on pds4-jparser, which depended on pds-opencsv, which depended on commons-text:1.9, which had a critical vulnerability (detected using Grype, the container image-scanning tool).

Dependabot caught it roughly the same time I did!

[jordanpadams]

Status: Completed on validate. Will add more sub-tasks for adding this other repos as they come up.

other higher priority repos in the future:

• Registry API
• Registry Loader Tools

[jordanpadams]

Closed per NASA-PDS/validate#1010. Will create new tasks for future expansion to other repos