Open anuragkdi opened 3 weeks ago
I understand your concern regarding security vulnerabilities. While we regularly update our images with the latest system packages, certain CVEs may persist until they are patched in either the OS or the application. In this case, the affected binaries are part of the MongoDB distribution. You can learn more about our CVE policy here.
If you have any further questions, feel free to ask.
yes but the CVE's which i have listed are not Open CVE's. Seems they have been fixed in later versions like golang.org/x/crypto
has been fixed in 0.17.0
So my question is can you guys update the golang libraries listed to the fixed versions for the monogdb container?
Unfortunately, we don't apply patches on top of the upstream software, in this case, it is needed to wait until MongoDB developers cut a new release of MongoDB (or MongoDB Database Tools in this case which is the source of those binaries). Once there is a new release upstream, our automated test & release pipeline will detect it and the new version will be available in the Bitnami catalog but until that moment there is nothing else we can do on our side.
In the same way, MongoDB is one of the few applications we do not compile from source due to license requirements.
If you have any questions about the application itself we highly recommend that you refer to the forums and user guides provided by the project responsible for the application so they can explain what is the release process used for this specific application.
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.
I had raised a ticket to the mongodb tools to remediate the vulnerabilities and seems they have taken action - ticket details > https://jira.mongodb.org/browse/TOOLS-3554
Could you comment on what is the next action item from your end? @carrodher @javsalgar ?
Name and Version
bitnami/mongodb:7.0.9
What architecture are you using?
None
What steps will reproduce the bug?
Posting it here here as i could not report the security vulnerability as an issue due to the policy.
We are running trivy scan to find out vulnerabilities in mongodb container. Although, we see that debian does not show any issues ,but there are many CVE's reported on many golang libraries as below. Please suggest how to fix it?
trivy image --format template --template "@contrib/html.tpl" -o report.html bitnami/mongodb:7.0.9 --ignore-unfixed
What is the expected behavior?
What do you see instead?
same as above
Additional information
how to remediate the CVEs for the golang libraries reported