Closed xiaoyaozibc closed 2 weeks ago
tini-static
apparently comes with the tini
package. We do not use tini-static
anywhere. We do however use its dynamically linked sibling /usr/bin/tini
as a wrapper for the container image's entrypoint to act as an init replacement for proper signal handling and process reaping.
I do believe your scanner's alert is a false positive, because tini-static
should be linked against the same glibc objects as come with the distribution. I wonder how the scanner detects which particular version of glibc the binary was statically linked with.
Thanks @jannfis for the information! The scanner didn't really say which glibc version was linked with, but from the revealed vulnerabilities (e.g., https://nvd.nist.gov/vuln/detail/CVE-2021-33574), it seems the version is 2.32 or 2.33, which was pretty old (4 years ago). I saw the tini project (https://github.com/krallin/tini) was not very active, the release v0.19.0 was also from 4 years ago. No wonder that the static binary is built with old glibc version that is prone to a bunch of vulnerabilities. Is there a way to mitigate the issue? If tini-static
is not used anywhere, can we remove the binary from the argocd image?
I'm still pretty sure that your scanner is triggering a false positive. Are you using a custom image?
Anyhow, you can remove tini-static from your image without side effects.
I'm using the official image. Sure I'll try remove the tini-static binary if I have to. Thanks!
Checklist:
argocd version
.Describe the bug
I've used vmware osspi tool to scan multiple argocd versions (v2.10.3, v2.10.16, v2.11.7, v2.12.1), all of them show the usr/bin/tini-static binary has 6 critical and 31 total vulnerabilities. It seems the tini-static binary is built with an old version of glibc, which is the vulnerable package. What is the use of
tini-static
binary in ArgoCD? Could you upgrade the binary to resolve some of the CVEs?To Reproduce
Scan ArgoCD v2.12.1 with osspi tool
Expected behavior
Fewer critical CVEs
Screenshots
Version