Closed ietashish closed 2 years ago
@ietashish We run image vulnerability scans as part of our CI and this is used as a release gate. A lot of CVEs you mentioned do not have a fix yet so there is no action item on our side for now.
➜ trivy --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4
2021-10-08T16:17:43.066Z INFO Need to update DB
2021-10-08T16:17:43.067Z INFO Downloading DB...
24.22 MiB / 24.22 MiB [-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 16.89 MiB p/s 2s
2021-10-08T16:17:47.531Z INFO Detected OS: debian
2021-10-08T16:17:47.531Z INFO Detecting Debian vulnerabilities...
2021-10-08T16:17:47.538Z INFO Number of language-specific files: 1
2021-10-08T16:17:47.538Z INFO Detecting gobinary vulnerabilities...
mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4 (debian 10.10)
======================================================================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)
bin/nmi (gobinary)
==================
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)
This issue is stale because it has been open 14 days with no activity. Please comment or this will be closed in 7 days.
This issue was closed because it has been stalled for 21 days with no activity. Feel free to re-open if you are experiencing the issue again.
Have you
Describe the bug Running container scan on NMI container (mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4) reveals several vulnerabilities that have not been fixed. This is problematic since, we deploy AAD identity pods on Azure GovCloud cluster which needs to be compliant with FedRAMP regulations that asks us to explain every un-remediated vulnerability.
Can you comment if any of these vulnerabilities are getting fixed in upcoming releases, or explain why they have not been fixed yet.
Steps To Reproduce Run any container scanning tool (like Docker Snyk, Aqua Trivy, Jfrog Xray) on mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.4. We ran Jfrog Xray scan and found the following CVEs,
Expected behavior Container should not have any vulnerabilities.
AAD Pod Identity version v1.8.4
Kubernetes version NA
Additional context None