is there a way to run datahub without datahub-acti...
# troubleshootm
mysterious-table-75773
05/11/2023, 9:03 AMis there a way to run datahub without datahub-actions?
it contains tens of critical vulnerabilities
🔍 1
📖 1
l
lively-cat-88289
05/11/2023, 9:03 AMHey there 👋 I'm The DataHub Community Support bot. I'm here to help make sure the community can best support you with your request.
Let's double check a few things first: ✅ There's a lot of good information on our docs site: www.datahubproject.io/docs, Have you searched there for a solution? ✅ button ✅ It's not uncommon that someone has run into your exact problem before in the community. Have you searched Slack for similar issues? ✅ button Did you find a solution to your issue? ❌ Sorry you weren't able to find a solution. I'm sending you some tips on info you can provide to help the community troubleshoot. Whenever you feel your issue is solved, please react ✅ to your original message to let us know!
g
gray-shoe-75895
05/11/2023, 3:15 PMWe have a acryldata/datahub-actions-slim image that you can use that’s smaller and more closely monitored for vulns
m
mysterious-table-75773
05/11/2023, 3:16 PMit still contains critical vulnerabilities because of the base image
mysterious-table-75773
05/11/2023, 3:17 PMthe docker layers are still corrupted, because you just
pip uninstallmysterious-table-75773
05/11/2023, 3:17 PMit needs to be erased from all the layers
mysterious-table-75773
05/11/2023, 3:18 PMso the goal is correct, having a container without spark will fix the problem, the way it is being done currently is not the way @gray-shoe-75895
g
gray-shoe-75895
05/11/2023, 3:20 PMHuh interesting - I believe the scanner that we’ve been using (trivy) only scans the final image. What vuln scanner are you using?
m
mysterious-table-75773
05/11/2023, 3:23 PMGCR, SNYK, GRYPE.
log from google marketplace:
Copy code
acryl-datahub-slim:v0.0.12
Note: CVE-2022-25168
Package: org.apache.hadoop:hadoop-common
Package Type: MAVEN
Affected Version: 3.2.0
Fixed Version: 3.2.4
Note: CVE-2022-37865
Package: org.apache.ivy:ivy
Package Type: MAVEN
Affected Version: 2.4.0
Fixed Version: 2.5.1
Note: CVE-2023-22946
Package: org.apache.spark:spark-core_2.12
Package Type: MAVEN
Affected Version: 3.0.3
Fixed Version: 3.4.0
Note: CVE-2019-0204
Package: org.apache.mesos:mesos
Package Type: MAVEN
Affected Version: 1.4.0
Fixed Version: 1.4.3
Note: CVE-2021-33036
Package: org.apache.hadoop:hadoop-yarn-server-common
Package Type: MAVEN
Affected Version: 3.2.0
Fixed Version: 3.2.3
Note: CVE-2022-26612
Package: org.apache.hadoop:hadoop-common
Package Type: MAVEN
Affected Version: 3.2.0
Fixed Version: 3.2.3
Note: CVE-2023-24538
Package: go
Package Type: GO_STDLIB
Affected Version: 1.20.2a
aloof-gpu-11378
05/11/2023, 3:24 PMGot it - we’ll test out with those scanners cc @brainy-tent-14503
m
mysterious-table-75773
05/11/2023, 3:24 PMmy coworker fixed it in a fork @bulky-scientist-8960 , he can provide more info, or maybe PR for you if he wants, or I will with credit to him if he doesn’t
mysterious-table-75773
05/11/2023, 3:24 PMit also effects datahub-kafka-setup container @gray-shoe-75895, but with a different CVE, same reason why
2 Views