search

alphagov / cyber-security-concourse-base-image

1 stars 3 forks source link

Update to latest amazonlinux tag. #49

Closed danjoneslf closed 3 years ago

danjoneslf commented 3 years ago

This fixes the majority of the known vulnerabilities

pritchyspritch commented 3 years ago

I presume we can't get the version of amazonlinux that fixes the last issue because we are already using latest tag?

a525bda89342 (amazon 2 (Karoo))
===============================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+----------+------------------+----------+-------------------+-----------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |  FIXED VERSION  |                 TITLE                 |
+----------+------------------+----------+-------------------+-----------------+---------------------------------------+
| openldap | CVE-2020-25692   | MEDIUM   | 2.4.44-22.amzn2   | 2.4.44-23.amzn2 | openldap: NULL pointer dereference    |
|          |                  |          |                   |                 | for unauthenticated packet in slapd   |
|          |                  |          |                   |                 | -->avd.aquasec.com/nvd/cve-2020-25692 |
+----------+------------------+----------+-------------------+-----------------+---------------------------------------+

usr/local/bin/trivy
===================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
danjoneslf commented 3 years ago

I presume we can't get the version of amazonlinux that fixes the last issue because we are already using latest tag?

We could probably figure out a way to fix the last one by doing something like what we did with http-api-resource but given we don't actually currently use the container in cyber and VPS no longer use it I think it probably doesn't justify the extra effort.