Security Alert: 1.13.37

Question

Security Alert: 1.13.37

soloio-bot opened this issue a month ago · comments

quay.io/solo-io/kubectl:1.13.37

No Vulnerabilities Found for quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)

Vulnerabilities Listed for usr/local/bin/kubectl

Vulnerability ID	Package	Severity	Installed Version	Fixed Version	Reference
CVE-2023-39325	stdlib	HIGH	1.20.6	1.20.10, 1.21.3	https://avd.aquasec.com/nvd/cve-2023-39325
CVE-2023-45283	stdlib	HIGH	1.20.6	1.20.11, 1.21.4, 1.20.12, 1.21.5	https://avd.aquasec.com/nvd/cve-2023-45283
CVE-2023-45288	stdlib	HIGH	1.20.6	1.21.9, 1.22.2	https://avd.aquasec.com/nvd/cve-2023-45288

Sam Heilbron · Answer 1 · Wed May 29 2024 02:00:58 GMT+0800 (China Standard Time)

History

This is a subset of errors that were first encountered in #9443. @sheidkamp opened a PR #9452 to resolve this.

Local Run

When I run the scan locally:

trivy image --severity HIGH,CRITICAL quay.io/solo-io/kubectl:1.13.37

I do not get any errors:

024-05-28T11:56:22.790-0600    INFO    Need to update DB
2024-05-28T11:56:22.790-0600    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-05-28T11:56:22.790-0600    INFO    Downloading DB...
47.35 MiB / 47.35 MiB [-----------------------------------------------------------------------] 100.00% 843.68 KiB p/s 58s
2024-05-28T11:57:21.602-0600    INFO    Vulnerability scanning is enabled
2024-05-28T11:57:21.602-0600    INFO    Secret scanning is enabled
2024-05-28T11:57:21.602-0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-28T11:57:21.602-0600    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-05-28T11:58:03.596-0600    INFO    Detected OS: alpine
2024-05-28T11:58:03.596-0600    INFO    Detecting Alpine vulnerabilities...
2024-05-28T11:58:03.599-0600    INFO    Number of language-specific files: 0

quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

I noticed that the version of trivy that I had installed:

➜  gloo git:(sam/nightly-kube-e2e-tests) trivy version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-28 12:19:45.019419423 +0000 UTC
  NextUpdate: 2024-05-28 18:19:45.019419193 +0000 UTC
  DownloadedAt: 2024-05-28 17:57:21.602629 +0000 UTC

Did not match the version used in CI (see below):

Using Trivy v0.51.4

I noticed that we actually ignore the vulernabilities that are reported, so I ran the local scan again:

trivy image --severity HIGH,CRITICAL quay.io/solo-io/kubectl:1.13.37 --ignorefile ./.trivyignore

Again, I saw no vulnerabilities listed (as expected).

Most recent CI run

From the logs of the most recent security scan (logs), I see:

Using Trivy v0.51.4

***"level":"debug","ts":"2024-05-27T08:38:16.784Z","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 2.628438615s in quay.io/solo-io/kubectl:1.13.37"***

But I don't see any comment on the issue, or update to indicate that the job performed an update

Sam Heilbron · Answer 2 · Wed May 29 2024 03:17:12 GMT+0800 (China Standard Time)

There is an open conversation around the two approaches we can take to solve this:

Update the trivyignore file on the main branch to incldue the necessary values that our LTS branches require
Update our job to run per branch, so that it can checkout the trivyignore for the given branch

I am happy with either direction that is chosen. Given that this is remaining work left over from the previous effort to fix these vulnerabilities, I am assigning this to @sheidkamp

Seth Heidkamp · Answer 3 · Wed May 29 2024 22:56:46 GMT+0800 (China Standard Time)

Updated the .trivyignore file in main (#9533) and created #9532 for per-LTS branch ignore files.