CVEs on base image

Question

CVEs on base image

dnlopes opened this issue 4 months ago · comments

David Lopes commented 4 months ago

Hello team,

I just ran Trivy against the latest version and it's reporting 10 vulnerabilities:

Used the following CLI:

trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/csi-secrets-store/driver:v1.4.1

Do you have plans to bump the dependencies to address these vulnerabilities? According to the documentation, releases should come out every month, but it seems it has not been the case in the last months.

Thanks.

Anish Ramasekar · Answer 1 · Thu Mar 07 2024 01:05:52 GMT+0800 (China Standard Time)

The next patch release is planned for early next week.

David Lopes · Answer 2 · Thu Mar 07 2024 05:01:14 GMT+0800 (China Standard Time)

Awesome, good to know that. What about the cadence of patches? Is the documentation outdated? It's a matter of lack of capacity of the maintainers of the project? Or something else? Are you looking for hands on maintaining the project?

Thanks.

Ben Draper · Answer 3 · Thu Mar 07 2024 23:18:59 GMT+0800 (China Standard Time)

That is great news that a patch release is being done next week, does this include bumping up minor versions of node-driver-registrar from 2.8.0 to v2.9.3 and livenessprobe from v2.10.0 to v2.11.0? As these are reporting vulnerabilities as well.

If this is being considered already, that is amazing, if not, I do not mind doing a PR tomorrow to include it, if that would help.

Anish Ramasekar · Answer 4 · Fri Mar 08 2024 01:16:53 GMT+0800 (China Standard Time)

Awesome, good to know that. What about the cadence of patches? Is the documentation outdated? It's a matter of lack of capacity of the maintainers of the project? Or something else? Are you looking for hands on maintaining the project?

The document is up-to date. The maintainers have just been busy with the Kubernetes v1.30 release work, but we'll be releasing every month to patch CVEs as mentioned in the doc. We're happy to have new contributors and if you're interested in contributing in any ways to the project, feel free to ping me on the Kubernetes slack.

That is great news that a patch release is being done next week, does this include bumping up minor versions of node-driver-registrar from 2.8.0 to v2.9.3 and livenessprobe from v2.10.0 to v2.11.0? As these are reporting vulnerabilities as well.

Yes, this will be included in the helm chart patch release next week.

Anish Ramasekar · Answer 5 · Tue Mar 12 2024 08:07:30 GMT+0800 (China Standard Time)

Thanks for the patience. https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.4.2 has been released.

Closing this issue now. As per cadence, the next release will be next month.

/close

Kubernetes Prow Robot · Answer 6 · Tue Mar 12 2024 08:07:34 GMT+0800 (China Standard Time)

@aramase: Closing this issue.

In response to this:

Thanks for the patience. https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.4.2 has been released.

Closing this issue now. As per cadence, the next release will be next month.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.