carrodher
commented
1 month ago I understand your concern regarding security vulnerabilities. We regularly update our images with the latest system packages; however, certain CVEs may persist until they are patched in the OS or application. Additionally, some CVEs remain unfixed due to the absence of available patches. In vulnerability scanners like Trivy, you can use the --ignore-unfixed flag to ignore such CVEs. You can learn more about our CVE policy here.
The Bitnami Application Catalog (OpenSource) is built on Debian 12. Additionally, as part of VMware, Bitnami offers a custom container and Helm Charts catalog based on various base images, such as Debian 11 & 12, PhotonOS 4, Ubuntu 20.04 & 22.04, RedHat UBI 8 & 9, and custom golden images. You can explore these options through the VMware Tanzu Application Catalog.
If you have any further questions, feel free to ask.
github-actions[bot]
Name and Version
bitnami/etcd 3.5.x
What architecture are you using?
None
What steps will reproduce the bug?
Hi team, we're using bitnami/etcd image as part of milvus deployment. Our code scanners is detecting multiple vulnerabilities in below images in bitnami/etcd image, can we get these versions upgraded? I've linked the current version and fix version for reference in the image paths.
golang:go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc Current version: v0.25.0 Fix version: v0.46.0
golang:google.golang.org/protobuf/encoding/protojson Current version: v1.31.0 Fix version: v1.33.0
golang:google.golang.org/protobuf/internal/encoding/json Current version: v1.31.0 Fix version: v1.33.0
golang:golang.org/x/net/http2 Current version: v0.17.0 Fix version: v0.23.0
golang:path/filepath Current version: 1.21.4 Fix version: 1.21.5
golang:go.etcd.io/etcd/client/v3 Current version: 1.20.11 Fix version: 3.3.23 Thanks.
What do you see instead?
CVE vulnerabilities are detected for these code path. I'm uploading screenshot of the reported CVE: