Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated KUBECTL_VERSION to 1.31.0 for fixing vulnerabilities #1690

Merged
merged 10 commits into from
Oct 3, 2024

Conversation

jdesouza
Copy link
Contributor

@jdesouza jdesouza commented Sep 25, 2024

usr/local/bin/kubectl (gobinary)

Total: 3 (HIGH: 2, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.7            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2023-45288 │ HIGH     │        │                   │ 1.21.9, 1.22.2  │ golang: net/http, x/net/http2: unlimited number of         │
│         │                │          │        │                   │                 │ CONTINUATION frames causes DoS                             │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2023-45288                 │
│         ├────────────────┤          │        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34156 │          │        │                   │ 1.22.7, 1.23.1  │ encoding/gob: golang: Calling Decoder.Decode on a message  │
│         │                │          │        │                   │                 │ which contains deeply nested structures...                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-34156                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

@jdesouza jdesouza changed the title Bumped Go to 1.22.7 for fixing Critical/High vulberabilities Bumped Go to 1.22.7 for fixing High vulberability Sep 25, 2024
@jdesouza jdesouza changed the title Bumped Go to 1.22.7 for fixing High vulberability Bumped Go to 1.22.7 for fixing High vulnerability Sep 25, 2024
@mozillazg
Copy link
Collaborator

@jdesouza Thanks for your contribution! It looks like this issue was fixed via #1687

@jdesouza
Copy link
Contributor Author

Looks good although a kubectl vulnerability is likely to remain

@mozillazg
Copy link
Collaborator

Looks good although a kubectl vulnerability is likely to remain

@jdesouza Could you please update this PR to upgrade only the kubectl version? Thanks!

@jdesouza
Copy link
Contributor Author

Looks good although a kubectl vulnerability is likely to remain

@jdesouza Could you please update this PR to upgrade only the kubectl version? Thanks!

WDYT now?

Copy link
Collaborator

@afdesk afdesk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks!

@mozillazg wdyt?

go.mod Outdated
@@ -1,6 +1,6 @@
module github.com/aquasecurity/kube-bench

go 1.22
go 1.22.7
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMHO, we should avoid updating this version in the go.mod file. This change will force all developers (including kube-bench maintainers and downstream project developers) to download go >=1.22.7.

@afdesk wdyt?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mozillazg I definitely agree with you!
my point was that we already use Go 1.22.7 for building in pipelines.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! Just reverted the go change. Now we have just the kubectl update

@afdesk
Copy link
Collaborator

afdesk commented Oct 3, 2024

Alpine version was alredy bumped via #1676

@jdesouza jdesouza changed the title Bumped Go to 1.22.7 for fixing High vulnerability Updated KUBECTL_VERSION to 1.31.0 for fixing vulnerabilities Oct 3, 2024
@afdesk afdesk merged commit e75cd6b into aquasecurity:main Oct 3, 2024
5 checks passed
@afdesk
Copy link
Collaborator

afdesk commented Oct 3, 2024

@jdesouza @mozillazg thanks for your efforts!

deebhatia pushed a commit to VoerEirAB/kube-bench that referenced this pull request Oct 14, 2024
…urity#1690)

* Bumped Go to 1.22.7 for fixing Critical/High vulberabilities

* Bumped Go to 1.22.7 for fixing Critical/High vulberabilities

* Bumped kubectl version for fixing vulnerabilities

* Fixed kubectl version

* Update go.mod
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants