automate CVE patches with copa

[sozercan]

Looks like DRA driver patches CVEs using a conditional in Dockerfile to run package manager tooling
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/container/Dockerfile.ubuntu#L54-L60
https://github.com/NVIDIA/k8s-dra-driver/blob/main/deployments/container/Dockerfile.ubi8#L54-L59

https://github.com/project-copacetic/copacetic is a CNCF sandbox project for a CLI tool for directly patching container images with support for multiple package managers (apt, apk, yum, etc), and distroless images. This can be set up for build time and recurringly with any cadence to automate patching.

Would maintainers be interested in integration or contribution for an integration?

@elezar

[elezar]

Hi @sozercan. That looks interesting.

We currently depend on nvidia/cuda base images across all our components, and often lag on addressing CVEs since these have not been updated or released yet. Using something like the tools you describe to patch these images before consuming them in our projects would be useful.

I have not yet looked into the tooling in detail, but do you have a link on examples for how to automate this in github actions, for example? Note that our images are generally multi-arch images. Do the tools you mention support these too, or would we have to create the multi-arch manifest from the constituent parts after the fact?

cc @ArangoGutierrez @shivamerla @cdesiniotis

[ashnamehrotra]

Hi @elezar here is an example of a Github workflow integrating the copacetic action to automate patching: https://github.com/Azure/azure-workload-identity/blob/main/.github/workflows/patch-images.yaml. Similar to the example, you would have to create the multi-arch manifest after the patching.

[ashnamehrotra]

@elezar I wanted to follow up on this issue. Copa has added multi platform support in the most recent release. Would maintainers be interested in contribution for integration?