Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update to v1.26.x in driver-crds image #1075

Closed
aramase opened this issue Oct 18, 2022 · 4 comments · Fixed by #1111
Closed

update to v1.26.x in driver-crds image #1075

aramase opened this issue Oct 18, 2022 · 4 comments · Fixed by #1111
Labels
kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test.

Comments

@aramase
Copy link
Member

aramase commented Oct 18, 2022

pull-secrets-store-csi-driver-image-scan failing in driver-crds because of CVEs in the kubectl binary. When new version of `kubectl is available, we can update and close this issue.

ref: https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_secrets-store-csi-driver/1069/pull-secrets-store-csi-driver-image-scan/1582436018705928192

kubectl (gobinary)
==================
Total: 2 (MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                            │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net  │ CVE-2022-27664 │ HIGH     │ v0.0.0-20220722155237-a158d28d115b │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                  │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ MEDIUM   │ v0.3.7                             │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage     │
│                   │                │          │                                    │                                   │ takes a long time to parse complex tags                     │
│                   │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                  │
└───────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘

/kind failing-test
@k8s-ci-robot k8s-ci-robot added the kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test. label Oct 18, 2022
@GiuseppeChiesa-TomTom
Copy link

also the k8s.gcr.io/csi-secrets-store/driver:v1.2.4 contains critical vulnerabilities

 ❯ docker run aquasec/trivy image --ignore-unfixed -s "CRITICAL"  k8s.gcr.io/csi-secrets-store/driver:v1.2.4
2022-10-21T12:12:01.830Z        INFO    Need to update DB
2022-10-21T12:12:01.830Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2022-10-21T12:12:01.830Z        INFO    Downloading DB...
2022-10-21T12:12:04.637Z        INFO    Vulnerability scanning is enabled
2022-10-21T12:12:04.637Z        INFO    Secret scanning is enabled
2022-10-21T12:12:04.637Z        INFO    If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2022-10-21T12:12:04.637Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.31.0/docs/secret/scanning/#recommendation for faster secret detection
2022-10-21T12:12:06.900Z        INFO    Detected OS: debian
2022-10-21T12:12:06.900Z        INFO    Detecting Debian vulnerabilities...
2022-10-21T12:12:06.911Z        INFO    Number of language-specific files: 1
2022-10-21T12:12:06.911Z        INFO    Detecting gobinary vulnerabilities...

k8s.gcr.io/csi-secrets-store/driver:v1.2.4 (debian 11.4)
========================================================
Total: 2 (CRITICAL: 2)

┌──────────────┬───────────────┬──────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability │ Severity │ Installed Version │  Fixed Version  │                            Title                            │
├──────────────┼───────────────┼──────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ libpcre2-8-0 │ CVE-2022-1586 │ CRITICAL │ 10.36-2           │ 10.36-2+deb11u1 │ pcre2: Out-of-bounds read in compile_xclass_matchingpath in │
│              │               │          │                   │                 │ pcre2_jit_compile.c                                         │
│              │               │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2022-1586                   │
│              ├───────────────┤          │                   │                 ├─────────────────────────────────────────────────────────────┤
│              │ CVE-2022-1587 │          │                   │                 │ pcre2: Out-of-bounds read in get_recurse_data_length in     │
│              │               │          │                   │                 │ pcre2_jit_compile.c                                         │
│              │               │          │                   │                 │ https://avd.aquasec.com/nvd/cve-2022-1587                   │
└──────────────┴───────────────┴──────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘

@darkomih
Copy link

darkomih commented Nov 9, 2022

Yes, I can confirm on that

@aramase aramase mentioned this issue Nov 10, 2022
Merged
3 tasks
@aramase aramase changed the title pull-secrets-store-csi-driver-image-scan failing in driver-crds image update to v1.26.x in driver-crds image Nov 10, 2022
@sarahhenkens
Copy link

Manually updating the driver image causes the helm chart to break as well #1088

@aramase
Copy link
Member Author

aramase commented Nov 17, 2022

Manually updating the driver image causes the helm chart to break as well #1088

@sarahhenkens I believe you're referring to the node-driver-registrar image? This issue is for CVEs in the kubectl binary that's part of v1.25.3 release in the driver-crds image that's used by helm chart.

@aramase aramase mentioned this issue Dec 9, 2022
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/failing-test Categorizes issue or PR as related to a consistently or frequently failing test.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore: use kubectl v1.26.0 in driver-crds aramase/secrets-store-csi-driver
5 participants
@sarahhenkens @darkomih @aramase @k8s-ci-robot @GiuseppeChiesa-TomTom