Fix critical/high CVEs #2143
Comments
willholley
added
blocked-needs-validation
squaremo
removed
the
blocked-needs-validation
|
Thanks for bringing this up @willholley. Maybe we should have a |
|
@willholley What did you use to do the scan? |
|
(cleared the milestone so that I can close it; but we can add this info to the changelog in retrospect) |
|
@squaremo this was using the IBM Cloud Container Registry, which automatically applies a vulnerability scan. The latest image is currently reporting no issues: |
|
@willholley thanks for the info! We had a scan running when we were still using Quay.io (with a notification to the maintainers), but as we had to move away from Quay.io, this is no longer in place 😞 I will put some thought into an alternative solution. |
|
@hiddeco if it's of any use, the clair-scanner project is pretty useful for this This project builds a daily DB of vulns, so you can do it all locally via CI. |
|
@awh could the priority be bumped on this please? |
|
This would certainly be a useful part of the build. We don't have a prioritised list of issues to address, at present. @ChipWolf is there a specific CVE that you're hoping to see mitigated? |
|
We're seeing a number of CVEs when scanning the latest image, all related to sqlite-libs + libcurl being out of date. Doesn't look like busybox 3.11 has newer versions of the packages available either. CVE-2019-19646 Additionally, our scanner is flagging CIS_Docker_CE_v1.1.0 - 4.1 - image is built with to run as the root user, vs a less privileged user. Any objections to a PR that would pull in the new libcurl/sqlite-libs from the edge repo, and set a non-root user for running flux? Are there any special privs flux needs if run as non-root? |
Nope! Super helpful, thank you.
This is not so easy because of various files having to get the right permissions when mounted (I am thinking of SSH config; may also apply to GPG things). It was attempted before -- quite a while ago -- and no doubt Kubernetes etc., have moved on since then. |
|
There are still high and medium (and low) severity reports described in #3077 From As of |
|
This issue appears to have been resolved by flux v1.21.1, which also closes #3077 I think the idea of adding I don't know if any of these would have been remotely exploitable, maybe worth a mention. Should we put scans into the release process? |
|
We can close this one now without any objections, as #3400 has closed too |
Includes a bump from Flux Daemon v1.21.0 to v1.21.1 with release notes here: https://github.com/fluxcd/flux/blob/master/CHANGELOG.md#1211-2021-01-06 Notable changes include update from snap core18 to core20, which includes updates that silence several CVE warnings (fluxcd#2143), and a chart fix setting the memcached service's namespace from Release.Namespace that was omitted before.
Includes a bump from Flux Daemon v1.21.0 to v1.21.1 with release notes here: https://github.com/fluxcd/flux/blob/master/CHANGELOG.md#1211-2021-01-06 Notable changes include update from snap core18 to core20, which includes updates that silence several CVE warnings (fluxcd#2143), and a chart fix setting the memcached service's namespace from Release.Namespace that was omitted before. Signed-off-by: Kingdon Barrett <[email protected]>
Includes a bump from Flux Daemon v1.21.0 to v1.21.1 with release notes here: https://github.com/fluxcd/flux/blob/master/CHANGELOG.md#1211-2021-01-06 Notable changes include update from snap core18 to core20, which includes updates that silence several CVE warnings (fluxcd#2143), and a chart fix setting the memcached service's namespace from Release.Namespace that was omitted before. Signed-off-by: Kingdon Barrett <[email protected]>
Includes a bump from Flux Daemon v1.21.0 to v1.21.1 with release notes here: https://github.com/fluxcd/flux/blob/master/CHANGELOG.md#1211-2021-01-06 Notable changes include update from snap core18 to core20, which includes updates that silence several CVE warnings (fluxcd#2143), and a chart fix setting the memcached service's namespace from Release.Namespace that was omitted before. Signed-off-by: Kingdon Barrett <[email protected]>
The
flux:1.12.3image as published on Docker Hub is currently reporting vulnerable to the following CVEs:All issues have been addressed by the upstream packages that introduce them to the container and building the Dockerfile from source resolves the problem.
This is mostly a note to inform the changelog for the next release (assuming a patch release would be created rather than republishing under the existing tag).
The text was updated successfully, but these errors were encountered: