Add proposal for image patching feature using Copacetic #266
Conversation
| `jobservice` will be extended with a new job type for image patching. This job will invoke the Copacetic binary to perform the patching and push the new image to the registry. | ||
| 5. **UI/UX: | ||
| ** The Harbor portal will be updated with a new section for managing patching policies. A "Patch" button will be added to the image details page to trigger ad-hoc patching. | ||
|
|
There was a problem hiding this comment.
Note: there may also be a way to get a diff between patched and non-patched image tags.
For example, nginx non-patched image tag:
docker history nginx:1.21.6 --format json --no-trunc
{"Comment":"","CreatedAt":"2022-05-28T05:41:03Z","CreatedBy":"/bin/sh -c #(nop) CMD [\"nginx\" \"-g\" \"daemon off;\"]","CreatedSince":"3 years ago","ID":"sha256:0e901e68141fd02f237cf63eb842529f8a9500636a9419e3cf4fb986b8fe3d5d","Size":"0B"}
{"Comment":"","CreatedAt":"2022-05-28T05:41:03Z","CreatedBy":"/bin/sh -c #(nop) STOPSIGNAL SIGQUIT","CreatedSince":"3 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2022-05-28T05:41:03Z","CreatedBy":"/bin/sh -c #(nop) EXPOSE 80","CreatedSince":"3 years ago","ID":"\u003cmissing\u003e","Size":"0B"}
{"Comment":"","CreatedAt":"2022-05-28T05:41:02Z","CreatedBy":"/bin/sh -c #(nop) ENTRYPOINT [\"/docker-
...
has Total: 315 (UNKNOWN: 6, LOW: 23, MEDIUM: 159, HIGH: 104, CRITICAL: 23) CVEs
The patched version doesn't have any and with the docker history it's possible to get layers/commands, which fixed the CVEs:
docker history nginx:1.21.6-patched --format json --no-trunc
{"Comment":"buildkit.exporter.image.v0","CreatedAt":"2025-09-03T16:25:52Z","CreatedBy":"mount / from exec sh -c apt-get install --no-install-recommends -y libxml2 libxslt1.1 mount bsdutils libcom-err2 libfreetype6 libkrb5-3 libkrb5support0 libsepol1 libtasn1-6 libtiff5 libk5crypto3 libmount1 libudev1 libx11-6 ncurses-base perl-base util-linux curl libc6 libgnutls30 libpcre2-8-0 libtirpc-common openssl e2fsprogs libssl1.1 libx11-data login passwd tzdata ucf libblkid1 libc-bin libcurl4 libexpat1 libssh2-1 libtinfo6 ncurses-bin zlib1g libicu67 libnghttp2-14 libsmartcols1 libss2 logsave gpgv libgssapi-krb5-2 libsystemd0 libxpm4 tar libext2fs2 libtirpc3 libuuid1 libwebp6 \u0026\u0026 apt-get clean -y","CreatedSince":"7 minutes ago","ID":"sha256:f60324ee3fd925cc1ef5139abb0f1b26a71c0d4486b99fbb2244105f5ccc6cbc","Size":"93.4MB"}
Such comments can be taken along with the timestamp and saved under tags' Files as CHANGELOG.
This way users would be able to fetch a changelog of --patched tag and find out what's the difference with the non-patched version.
|
|
||
| ## Open issues (if applicable) | ||
|
|
||
| * How should we handle cases where Copacetic is unable to patch an image? Clear feedback should be provided to the user. |
There was a problem hiding this comment.
We should also note that Copa supports OS-level vulns only at this time, which minimized backwards incompatible changes due to OS and package maintainers backporting the patches.
Currently, we are working on addressing app-level vulns (starting with python), and will provide knobs to minimize incompatibilities (such as scoping down to app-level vulns and patch versions for those only), it'll be up to the users to make sure to validate the images for any potential backwards incompatible changes, since libraries can ship backwards incompat changes.
|
|
||
| In both cases, when an image is successfully patched, the new image will be pushed back to the same repository with a | ||
| `-patched` suffix appended to the original tag (e.g., `my-app:1.0.0` becomes | ||
| `my-app:1.0.0-patched`). |
There was a problem hiding this comment.
for future work, it might be good if users can select from a variety of options. we provide guidelines here: https://project-copacetic.github.io/copacetic/website/best-practices
7 participants
No description provided.