Dev > CaaS > Kubernetes > TAP

Memo on Updating Specific Buildpacks in Tanzu Application Platform

Created on Sun Dec 03 2023 • Last Updated on Sun Dec 03 2023N/A Views

🏷️ Kubernetes | Tanzu Build Service | Tanzu | TAP | kpack

From Tanzu Application Platform 1.6, the ClusterBuildpack CR has been added. Before that, ClusterBuilder was composed of ClusterStore (OS base image) and ClusterStack (Buildpack set). From 1.6, ClusterBuilder is composed of ClusterStore (OS base image) and multiple ClusterBuildpacks. This makes it easier to update individual Buildpacks.

The update method is described here.

Let's give an example. In TAP 1.7.0, the tanzu nodejs buildpack 2.3.1 is installed as a Node.js Buildpack. However, this Buildpack includes Node.js with CVE-2023-39332 (Critical).

In fact, when you build a Node.js Workload in TAP 1.7.0 with the source-test-scan-to-url Supply Chain, vulnerabilities are detected as follows.


With TAP 1.7.0, you have no choice but to ignore CVE-2023-39332 or stop the Supply Chain until a new version of TAP containing a fixed buildpack is released. However, with the introduction of ClusterBuildpack, you can update the ClusterBuilder without waiting for the release of TAP, as long as a new buildpack is released.

In fact, CVE-2023-39332 was fixed in tanzu nodejs buildpack 2.3.2.


Without waiting for the release of TAP, let's apply this tanzu nodejs buildpack 2.3.2.


As of the time of writing this article, tanzu nodejs buildpack 2.3.2 is included in the latest version of TAP, 1.7.1.

First, relocate the Docker image of the buildpack with the imgpkg command. The original image name can be confirmed from Tanzu Net. If you are using lite dependencies, use the one with -lite at the end, and if you are using full dependencies, use the one without -lite.


Here, we will relocate under ghcr.io/making.

imgpkg copy -i registry.tanzu.vmware.com/tanzu-nodejs-buildpack/nodejs:2.3.2 --to-repo ghcr.io/making/tanzu-nodejs-buildpack/nodejs

Specify the relocated image in .spec.image of ClusterBuildpack. The Service Account specified in .spec.serviceAccountRef must have imagePullSecrets set to pull the relocated image. If you don't know, you can check the Service Account used by the existing ClusterBuildpack with kubectl get clusterbuildpack -ojsonpath='{.items[0].spec.serviceAccountRef}'.

The following is an example of updating the tanzu nodejs buildpack to 2.3.2 when using full dependencies. It is better to use a name format that does not overlap with those bundled with TAP. Here, we use out-of-band- as a prefix, as in the documentation.

kubectl apply -f - << 'EOF'
apiVersion: kpack.io/v1alpha2
kind: ClusterBuildpack
  name: out-of-band-nodejs-2.3.2
  image: ghcr.io/making/tanzu-nodejs-buildpack/nodejs:2.3.2
    name: dependencies-pull-serviceaccount
    namespace: tbs-full-deps

If there are multiple buildpacks with the same ID, ClusterBuilder will choose the newer one. As a result, the ClusterBuilder is updated using 2.3.2 instead of the tanzu nodejs buildpack 2.3.1 included in TAP 1.7.0.

When the ClusterBuilder is updated, the images of the Workloads using it are automatically rebuilt. This allows you to pass the vulnerability check of the Supply Chain.


With this method, we were able to update the Buildpack without updating TAP, but please note that there may be errors depending on the version of TAP due to dependencies on the Buildpack API version and SBoM version.

Found a mistake? Update the entry.