CVE on full builder image

[aadi555]

[## What happened?

• What were you attempting to do?
  CVE Issues found with full builder when building application images
• What did you expect to happen?
  CVE-2022-1015
• What was the actual behavior? Please provide log output, if possible.
  https://ubuntu.com/security/CVE-2022-1015

Build Configuration

• What platform (pack, kpack, tekton buildpacks plugin, etc.) are you
  using? Please include a version.

• What buildpacks are you using? Please include versions.

• What builder are you using? If custom, can you provide the output from pack inspect-builder <builder>?

• Can you provide a sample app or relevant configuration (buildpack.yml,
  nginx.conf, etc.)?

Checklist

• I have included log output.
• The log output includes an error message.
• I have included steps for reproduction.](https://github.com/paketo-buildpacks/full-builder/issues)
• Can this vulnerability be fixed

[robdimsdale]

@paketo-buildpacks/stacks-contributors @paketo-buildpacks/stacks-maintainers (or maybe @paketo-buildpacks/builders-contributors @paketo-buildpacks/builders-maintainers) the linked CVE information (https://ubuntu.com/security/CVE-2022-1015) shows that there is currently no upstream fix yet for bionic.

Am I correct in my understanding that this will be automatically fixed by our automation when there is an upstream fix?

[arjun024]

Yes, if an Ubuntu Security Notice (USN) is published for Bionic. I don’t see a USN published for bionic for this CVE https://ubuntu.com/security/notices?order=newest&release=bionic&details=CVE-2022-1015.
On the other hand, they have issued security notices for 20.04 for instance

Once a USN is released for 18.04 it should be picked up by https://github.com/paketo-buildpacks/stack-usns/actions/workflows/get-usns.yml which will be picked up by the stacks and auto-released if there are any relevant packages to be updated.

[aadi555]

https://github.com/orgs/paketo-buildpacks/teams/builders-contributors https://github.com/orgs/paketo-buildpacks/teams/builders-maintainers)

Have a query. why is that our builpacks not using unbuntu 20.04 version ? is there a specific reason
Do we have anyway to use or tag specific version of base or full builder usage. We are currently working on a project where we adopted builpacks usage to avoid this kind of vulnerabilities in the image?

[fg-j]

Have a query. why is that our builpacks not using unbuntu 20.04 version ?

We did not prioritize creating 20.04 stacks. However, we are currently working on creating builders that support Ubuntu 2022.04 - Jammy Jellyfish. See this issue: paketo-buildpacks/stacks#133

Do we have anyway to use or tag specific version of base or full builder usage.

You can pin to a specific builder version by pulling a specific builder version tag. For example, paketobuildpacks/builder:1.2.3-full will always pull Paketo Full Builder v1.2.3. See the Paketo Buildpacks builder image repository on Dockerhub for more information.

[ryanmoran]

We have Jammy stacks today. What else remains to close this issue out?

[fg-j]

Looks good to me. @aadi555, anything further you'd like to see?

[aadi555]

Thanks will close the issue. However lot of unwanted packages in full builder leading to security issues. Like Ruby package. Hope this will be addressed soon. Closing the issue. Thanks @fg-j @ryanmoran