docker image vulnerabilities with sonobuoy #2025
Description
What steps did you take and what happened:
Hi Team,
We’ve observed that our ACR Docker images are under compliance review and need to be cleaned and rebuilt. Previously, we were using the base image mcr.microsoft.com/cbl-mariner/base/python:3.9, but we’ve now noted that this image will reach End of Life (EOL) on July 31, 2025.
As part of the remediation, I’ve updated the base image to mcr.microsoft.com/azurelinux/base/python:3.12 along with sonobuoy version v0.57.3. However, after rebuilding, vulnerabilities are still being reported for sonobuoy.
Please suggest how to overcome this.
What did you expect to happen:
vulnerability free.
Anything else you would like to add:
Please refer the attached screen shot and document for more information.
Environment:
sonobuoy version
Sonobuoy Version: v0.57.3
MinimumKubeVersion: 1.17.0
MaximumKubeVersion: 1.99.99
GitSHA: a988242
GoVersion: go1.23.6
Platform: linux/amd64
API Version check skipped due to missing --kubeconfig or other error
root [ / ]# kubectl version
Client Version: v1.32.0-alpha.0
Kustomize Version: v5.4.2
Server Version: v1.32.5
Sample docker file and Sonobuoy version is v0.57.3
FROM mcr.microsoft.com/azurelinux/base/python:3.12
RUN tdnf makecache && tdnf update -y && tdnf install -y tar ca-certificates jq
RUN tdnf install azure-cli -y
RUN /usr/bin/curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/latest.txt)/bin/linux/amd64/kubectl
&& chmod +x ./kubectl
&& mv ./kubectl /usr/local/bin/kubectl
COPY ./arc_agent_cleanup/requirements.txt ./
RUN --mount=type=secret,id=ado_pat,target=/run/secrets/ado_pat
token=$(cat /run/secrets/ado_pat) &&
index_url="https://ArcValidationPackages:[email protected]/ArcValidationProgram/ArcValidationProgram/_packaging/ArcValidationPackages/pypi/simple/" &&
mkdir -p ~/.config/pip &&
echo "[global]" > ~/.config/pip/pip.conf &&
echo "index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "extra-index-url = $index_url" >> ~/.config/pip/pip.conf &&
echo "trusted-host = pkgs.dev.azure.com" >> ~/.config/pip/pip.conf &&
cat ~/.config/pip/pip.conf &&
pip install --upgrade -r requirements.txt
Manually download and install Helm
RUN curl -sSL https://get.helm.sh/helm-v3.17.4-linux-amd64.tar.gz -o helm.tar.gz &&
tar -xzf helm.tar.gz &&
mv linux-amd64/helm /usr/local/bin/helm &&
rm -rf linux-amd64 helm.tar.gz
Verify Helm installation
RUN helm version
RUN curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash \
&& helm version
ARG SONOBUOY_VERSION
RUN curl -L https://github.com/vmware-tanzu/sonobuoy/releases/download/v${SONOBUOY_VERSION}/sonobuoy_${SONOBUOY_VERSION}_linux_amd64.tar.gz --output /bin/sonobuoy.tar.gz
RUN ["tar", "-xzf", "/bin/sonobuoy.tar.gz", "-C", "/bin/"]
COPY ./arc_agent_cleanup/arc_agent_cleanup.sh /
COPY ./arc_agent_cleanup/cleanup.py /
COPY ./common/results_utility.py /
COPY ./common/constants.py /
COPY ./common/kubernetes_namespace_utility.py /
COPY ./common/helm_utility.py /
COPY ./common/kubernetes_pod_utility.py /
COPY ./common/connected_cluster_utility.py /
COPY ./common/arm_rest_utility.py /
COPY ./common/setup_failure_handler.py /
RUN ["chmod", "+x", "/arc_agent_cleanup.sh"]
ENTRYPOINT ["./arc_agent_cleanup.sh"]