CODEWITHSUNDEEP
spring-bootubuntusecurityopensslgraalvm-native-image
PatPanda
PatPanda

Reputation: 5042

Build Spring Boot native images with Paketo buildpacks yields CVE for openssl (baked inside the base image)

I am building a native image for Spring Boot.

The pom.xml looks like:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.4.1</version>
        <relativePath/>
    </parent>

 <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
            </plugin>
            <plugin>
                <groupId>org.graalvm.buildtools</groupId>
                <artifactId>native-maven-plugin</artifactId>
            </plugin>

When running mvn -Pnative spring-boot:build-image, Spring Boot would pull paketobuildpacks/builder-jammy-java-tiny https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.4-Release-Notes#paketo-tiny-builder-for-building-oci-images

Issues:

  1. Using the default, this builder-jammy-java-tiny image contains openssl-3.0.2 flagged with CVE-2022-1292 CVE-2022-2068 CVE-2024-5535.

    Trying to fix the issue by upgrading the base image:

     <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <configuration>
                    <image>
                        <builder>paketobuildpacks/builder-noble-java-tiny</builder>

  2. Even noble would contains a vulnerable openSSL 3.0.13 with CVE-2024-5535

  3. The issue with this default base image is that we cannot get into the container, or modify it to "not have" openSSL

Is there a way to "not have" openSSL inside Paketo buildpacks base images?

Is there a base image which can build native image and does not contain known vulnerabilities up to now?

Upvotes: 0

Views: 62

Answers (0)

Related Questions