Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CVE-2024-38428 remove wget to close vuln, reduce image size #2067

Merged
merged 2 commits into from
Aug 26, 2024
Merged

fix: CVE-2024-38428 remove wget to close vuln, reduce image size #2067

merged 2 commits into from
Aug 26, 2024

Conversation

sdx-jkataja
Copy link
Contributor

@sdx-jkataja sdx-jkataja commented Aug 23, 2024
edited
Loading

What type of PR is this?
/kind bug

What this PR does / why we need it:
Remove wget from image to close CVE-2024-38428. Edit: vulnerable binary is no longer present in intermediate layers.
Build Docker image in stages, resulting in a smaller image with fewer layers (size reduction 35 MB).

Which issue(s) this PR fixes:
Fixes #

Requirements:

Special notes for your reviewer:

Release note:

none

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Aug 23, 2024
@k8s-ci-robot
Copy link
Contributor

Welcome @sdx-jkataja!

It looks like this is your first PR to kubernetes-sigs/azurefile-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/azurefile-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot
Copy link
Contributor

Hi @sdx-jkataja. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 23, 2024
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Aug 23, 2024
@andyzhangx
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 24, 2024
@andyzhangx
Copy link
Member

/retest

@andyzhangx
Copy link
Member

/retest

1 similar comment
@andyzhangx
Copy link
Member

/retest

@andyzhangx andyzhangx changed the title CVE-2024-38428 remove wget to close vuln, reduce image size fix: CVE-2024-38428 remove wget to close vuln, reduce image size Aug 25, 2024
@andyzhangx
Copy link
Member

/retest

1 similar comment
@andyzhangx
Copy link
Member

/retest

andyzhangx
andyzhangx approved these changes Aug 26, 2024
View reviewed changes
Copy link
Member

@andyzhangx andyzhangx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

thanks for the fix! I have made a little change to remove --fail parameter in curl to let it fail directly if there is package download failure.

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andyzhangx, sdx-jkataja

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Aug 26, 2024
@andyzhangx andyzhangx merged commit 0e0b26b into kubernetes-sigs:master Aug 26, 2024
23 of 24 checks passed
@andyzhangx
Copy link
Member

/cherrypick release-1.30

@andyzhangx
Copy link
Member

/cherrypick release-1.29

@andyzhangx
Copy link
Member

/cherrypick release-1.28

@k8s-infra-cherrypick-robot
Copy link

@andyzhangx: new pull request created: #2068

In response to this:

/cherrypick release-1.30

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Aug 26, 2024
Merged
@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Aug 26, 2024
Merged
@k8s-infra-cherrypick-robot
Copy link

@andyzhangx: new pull request created: #2069

In response to this:

/cherrypick release-1.29

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot
Copy link

@andyzhangx: new pull request created: #2070

In response to this:

/cherrypick release-1.28

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-infra-cherrypick-robot k8s-infra-cherrypick-robot mentioned this pull request Aug 26, 2024
Merged
@sdx-jkataja sdx-jkataja deleted the CVE-2024-38428 branch August 30, 2024 14:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andyzhangx andyzhangx andyzhangx approved these changes

@cvvz cvvz Awaiting requested review from cvvz

@ZeroMagic ZeroMagic Awaiting requested review from ZeroMagic

Assignees

@andyzhangx andyzhangx

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sdx-jkataja @k8s-ci-robot @andyzhangx @k8s-infra-cherrypick-robot