-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rebase: fix CVEs in the image #3526
Conversation
@Madhu-1 this PR should fix most of the ceph csi image specific vulnarabilities reported in the scan. Can you take a look at this in priority? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of these are simple rebases, they should not be combined in the same PR with fixes for CVE's. For a CVE fix, you'll need to state the CVE numbers as well.
api/go.mod
Outdated
@@ -1,10 +1,32 @@ | |||
module github.com/ceph/ceph-csi/api | |||
|
|||
go 1.16 | |||
go 1.18 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This requires consumers of the API to use Go 1.18. Ideally we provide the API for the lpwest, still supported Go version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no.., 1.16 and 1.17 are unsupported or already hit EOL.
@nixpanic I have mentioned which CVEs and kept only that change in the PR. ptal. |
Indeed these are different areas and small. But I have already put into seperate commits eventhough its a single PR. More or less, I didnt see value running different CI tests and wasting resources for each of this change , so combined into one PR. Regardless I am splitting this to different PRs now. |
Why the urgency for these? CVE-2022-27664: http server issue after |
@nixpanic all the security reports against Ceph CSI report this vulnerability. Unfortunately even security reports run on projects which consume Ceph CSI image also list down these vulnerabilities and this has been reported by those maintainers too. One example here is CNCF project Rook. |
Sure, lots of security scanners report issues with container images because vulnerable code is included. But if the code is not used, there is no urgency to update it. This isn't only for Go packages, but also for the RPMs that come with the OS base container image. Explaining why a CVE needs to be fixed is important for prioritization, and shows that reported CVEs are taking seriously. A quick glance does not give me a hint that this can be exploited, so for me this has the same priority as a normal rebase of a dependency. |
@Mergifyio rebase |
This commit update dependencies which is required to fix below CVEs. CVE-2022-27664 CVE-2022-27191 Signed-off-by: Humble Chirammal <[email protected]>
✅ Branch has been successfully rebased |
/test ci/centos/k8s-e2e-external-storage/1.23 |
/test ci/centos/k8s-e2e-external-storage/1.24 |
/test ci/centos/k8s-e2e-external-storage/1.25 |
/test ci/centos/mini-e2e-helm/k8s-1.23 |
/test ci/centos/mini-e2e-helm/k8s-1.24 |
/test ci/centos/mini-e2e-helm/k8s-1.25 |
/test ci/centos/mini-e2e/k8s-1.23 |
/test ci/centos/mini-e2e/k8s-1.24 |
/test ci/centos/mini-e2e/k8s-1.25 |
/test ci/centos/upgrade-tests-cephfs |
/test ci/centos/upgrade-tests-rbd |
/retest ci/centos/mini-e2e-helm/k8s-1.24 |
@Mergifyio requeue |
❌ This pull request head commit has not been previously disembarked from queue. |
/test ci/centos/k8s-e2e-external-storage/1.23 |
/test ci/centos/k8s-e2e-external-storage/1.24 |
/test ci/centos/k8s-e2e-external-storage/1.25 |
/test ci/centos/mini-e2e-helm/k8s-1.23 |
/test ci/centos/mini-e2e-helm/k8s-1.24 |
/test ci/centos/mini-e2e-helm/k8s-1.25 |
/test ci/centos/mini-e2e/k8s-1.23 |
/test ci/centos/mini-e2e/k8s-1.24 |
/test ci/centos/mini-e2e/k8s-1.25 |
/test ci/centos/upgrade-tests-cephfs |
/test ci/centos/upgrade-tests-rbd |
This commit update dependencies which is required to fix below CVEs.
Signed-off-by: Humble Chirammal [email protected]