Support for distroless in node_exporter

[saurabhvagrawal]

Vulnerability ID: 181818

Hi,

We are running prometheus node-exporter in production and we frequently get OS related vulnerabilities which. This time we got vulnerabilities for openssl and libssl. We want to understand if there is a plan to move to distroless so that we can avoid patching these kind of vulnerabilities in future. I was reading one thread where its mentioned that support for distroless containers will be available soon.

prometheus/node_exporter#2046

Could you please share if its already in plan and if yes, when can we get this new image.

[SuperQ]

This belongs in promu.

[saurabhvagrawal]

What needs to be done to fix these vulnerabilities. Any idea?

[saurabhvagrawal]

What needs to be done to fix these vulnerabilities. Any idea?

@SuperQ : Kind ping.

[SuperQ]

This is a low priority task, as there is no vulnerability. Your security scanner is faulty.

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable. Please also include a reproduction case.

[SuperQ]

In this specific case, the node_exporter does not openssl or libssl, as the software is written in Go and uses Go's TLS implemenation.

[bastischubert]

distroless image was recently (yesterday) introduced with the release of node_exporter 1.11.0