CVE scan lists high vulnerability against latest image k8s.gcr.io/nfd/node-feature-discovery:v0.11.1 #853
Comments
|
@marquiz ptal |
|
/cc @ArangoGutierrez |
|
This will require v0.11.2 since updating image hash at k8s.gcr.io/images doesn't allow hash updates |
|
I don't think this applicable to us. NFD binaries are statically linked golang binaries (no c compiler involved). The possible hooks run by nfd (worker) inside the image are deployed/managed by the sysadmin. Any thoughts? |
|
As that's not the minimal image, according to documentation it contains run-time support for Bash and Perl hooks: https://kubernetes-sigs.github.io/node-feature-discovery/v0.11/advanced/customization-guide.html#hooks I.e. has several libs that may get out of date / require security updates. (IMHO running random code for hooks is bad idea for several reasons, I'll expand on that in a separate ticket.) |
|
@gseidlerhpe v0.11.2 (#870) should fix this issue. Close? |
|
@marquiz unfortunately the v0.11.2 image still has critical and high vulnerabilities (mostly Debian and Go). The basic docker scan (Snyk 1.827.0) lists 1 critical and 1 high: ✗ Critical severity vulnerability found in zlib/zlib1g However, I also ran a more sensitive scan with Jfrog and that found many more: 10 critical, 28 high. I've attached the full output in json format from both scans. Updating the base debian image should fix most if not all of the critical and high issues. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
|
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
CVE scan shows image uses lib/package with high vulnerability
What you expected to happen:
No critical or high vulnerability issues.
How to reproduce it (as minimally and precisely as possible):
docker scan k8s.gcr.io/nfd/node-feature-discovery:v0.11.1
Output shows:
✗ High severity vulnerability found in gcc-8/libstdc++6
Description: Information Exposure
Info: https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558
Introduced through: gcc-8/[email protected], [email protected], meta-common-packages@meta
From: gcc-8/[email protected]
From: [email protected] > gcc-8/[email protected]
From: [email protected] > apt/[email protected] > gcc-8/[email protected]
and 2 more...
Organization: xxxxxxx
Package manager: deb
Project name: docker-image|k8s.gcr.io/nfd/node-feature-discovery
Docker image: k8s.gcr.io/nfd/node-feature-discovery:v0.11.1
Platform: linux/amd64
Base image: debian:10.12-slim
Licenses: enabled
Tested 85 dependencies for known issues, found 72 issues.
Your base image is out of date
Anything else we need to know?:
Environment:
kubectl version):cat /etc/os-release):uname -a):The text was updated successfully, but these errors were encountered: