High Vulnerabilities in v0.6.2

[scottblack1]

There are a number of high vulnerabilities against the latest v0.6.2 release as per attached CSV.

scan-security-report---nvidia_gpu-feature-discovery-v0.6.2.csv

Can this image be rebuilt to remove these vulnerabilities as a v0.6.3 release? If v0.7.0 is scheduled to be released soon then this would also be an appropriate solution.

Thanks!

[elezar]

Hi @scottblack1.

In general, we assess the vulnerabilities at the time of release and if these are considered low risk for the intented use of the GPU Feature Discovery container we proceed with the release. Here we use the CUDA base images as a baseline and generally, if the CVEs exist there, they will exist in the GPU Feature Discovery images too.

We are not planning a v0.6.3 release but v0.7.0 will be released before the end of the year. This will use the latest CUDA base image available on the day of release and may address some of the listed CVEs.

Are there particular CVEs in the list that you are concerned about?

[elezar]

@scottblack1 we have just released v0.7.0.

As indicated by the release notes, there is a known CVE in the image.

[scottblack1]

Thanks for the heads up @elezar.

For context, we have independent categorization of CVEs by our security teams within my organization. This means that some of the CVEs in v0.6.2 that are listed as high are listed as critical internally. The implications of this is that the image is unusable from a risk perspective.

From the scan I have just ran, v0.7.0 looks good so I will close this issue!