Patch CVEs in container images #459

wedaly · 2025-06-23T22:30:04Z

Trivy reports many CVEs in the metaflow-service container images.

trivy image --ignore-unfixed --scanners vuln netflixoss/metaflow_metadata_service:sha-9e47d2d@sha256:fb13700fde0b680271ca622d634ad9d780946c24caeaca929c97c239b0c8af7f

netflixoss/metaflow_metadata_service:sha-9e47d2d@sha256:fb13700fde0b680271ca622d634ad9d780946c24caeaca929c97c239b0c8af7f (debian 12.2)
Total: 392 (UNKNOWN: 1, LOW: 29, MEDIUM: 276, HIGH: 79, CRITICAL: 7)

Python (python-pkg)
Total: 15 (UNKNOWN: 0, LOW: 0, MEDIUM: 9, HIGH: 6, CRITICAL: 0)

usr/local/bin/goose (gobinary)
Total: 40 (UNKNOWN: 0, LOW: 0, MEDIUM: 22, HIGH: 14, CRITICAL: 4)

This PR patches all of these CVEs by updating:

golang base image to 1.24.4-bookworm
goose version to v3.24.3
Python base image to 3.13.5-slim-bookworm
pygit2 to 1.18.0 for compatibility with new Python base image

I have tested the main Dockerfile both in minikube (manually replacing the image in devtools/Tiltfile) and in an EKS cluster. For consistency, I've made the same changes in the other Dockerfiles as well, but I wasn't sure how to test these.

Update golang base image to 1.24.4-bookworm Update goose version to v3.24.3 Update Python base image to 3.13.5-slim-bookworm Update pygit2 to 1.18.0 for compatibility with new Python base image

patch CVEs in container images

86d542a

Update golang base image to 1.24.4-bookworm Update goose version to v3.24.3 Update Python base image to 3.13.5-slim-bookworm Update pygit2 to 1.18.0 for compatibility with new Python base image

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Patch CVEs in container images #459

Patch CVEs in container images #459

Uh oh!

wedaly commented Jun 23, 2025

Uh oh!

Uh oh!

Patch CVEs in container images #459

Are you sure you want to change the base?

Patch CVEs in container images #459

Uh oh!

Conversation

wedaly commented Jun 23, 2025

Uh oh!

Uh oh!