Security Alert: 1.13.37
soloio-bot opened this issue · comments
quay.io/solo-io/kubectl:1.13.37
No Vulnerabilities Found for quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)
Vulnerabilities Listed for usr/local/bin/kubectl
Vulnerability ID | Package | Severity | Installed Version | Fixed Version | Reference |
---|---|---|---|---|---|
CVE-2023-39325 | stdlib | HIGH | 1.20.6 | 1.20.10, 1.21.3 | https://avd.aquasec.com/nvd/cve-2023-39325 |
CVE-2023-45283 | stdlib | HIGH | 1.20.6 | 1.20.11, 1.21.4, 1.20.12, 1.21.5 | https://avd.aquasec.com/nvd/cve-2023-45283 |
CVE-2023-45288 | stdlib | HIGH | 1.20.6 | 1.21.9, 1.22.2 | https://avd.aquasec.com/nvd/cve-2023-45288 |
History
This is a subset of errors that were first encountered in #9443. @sheidkamp opened a PR #9452 to resolve this.
Local Run
When I run the scan locally:
trivy image --severity HIGH,CRITICAL quay.io/solo-io/kubectl:1.13.37
I do not get any errors:
024-05-28T11:56:22.790-0600 INFO Need to update DB
2024-05-28T11:56:22.790-0600 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2024-05-28T11:56:22.790-0600 INFO Downloading DB...
47.35 MiB / 47.35 MiB [-----------------------------------------------------------------------] 100.00% 843.68 KiB p/s 58s
2024-05-28T11:57:21.602-0600 INFO Vulnerability scanning is enabled
2024-05-28T11:57:21.602-0600 INFO Secret scanning is enabled
2024-05-28T11:57:21.602-0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-28T11:57:21.602-0600 INFO Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-05-28T11:58:03.596-0600 INFO Detected OS: alpine
2024-05-28T11:58:03.596-0600 INFO Detecting Alpine vulnerabilities...
2024-05-28T11:58:03.599-0600 INFO Number of language-specific files: 0
quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)
Total: 0 (HIGH: 0, CRITICAL: 0)
I noticed that the version of trivy that I had installed:
➜ gloo git:(sam/nightly-kube-e2e-tests) trivy version
Version: 0.49.1
Vulnerability DB:
Version: 2
UpdatedAt: 2024-05-28 12:19:45.019419423 +0000 UTC
NextUpdate: 2024-05-28 18:19:45.019419193 +0000 UTC
DownloadedAt: 2024-05-28 17:57:21.602629 +0000 UTC
Did not match the version used in CI (see below):
Using Trivy v0.51.4
I noticed that we actually ignore the vulernabilities that are reported, so I ran the local scan again:
trivy image --severity HIGH,CRITICAL quay.io/solo-io/kubectl:1.13.37 --ignorefile ./.trivyignore
Again, I saw no vulnerabilities listed (as expected).
Most recent CI run
From the logs of the most recent security scan (logs), I see:
Using Trivy v0.51.4
***"level":"debug","ts":"2024-05-27T08:38:16.784Z","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 2.628438615s in quay.io/solo-io/kubectl:1.13.37"***
But I don't see any comment on the issue, or update to indicate that the job performed an update
There is an open conversation around the two approaches we can take to solve this:
- Update the trivyignore file on the main branch to incldue the necessary values that our LTS branches require
- Update our job to run per branch, so that it can checkout the trivyignore for the given branch
I am happy with either direction that is chosen. Given that this is remaining work left over from the previous effort to fix these vulnerabilities, I am assigning this to @sheidkamp