mohag
commented
1 year ago Red Hat rebuilt the stream8 container, so rebuilding this one now should help...
Closed humblec closed 1 day ago
mohag
commented
1 year ago Red Hat rebuilt the stream8 container, so rebuilding this one now should help...
porwalameet
commented
6 months ago @mohag , @humblec We ran trivy scan on latest cephcsi image, and still see a CRITICAL vulnerability being open from long time.
The vulnerability CVE-2022-21797 is still open. Is it possible we can patch base image and get this CVE fixed.
There was one upgrade to base image done in Feb 23, https://github.com/ceph/ceph-csi/pull/3635, however this CVI is still open.
porwalameet
commented
6 months ago To add, base image from redhat stream 8 container, is updated: https://bugzilla.redhat.com/show_bug.cgi?id=2166562#c3 for 8stream
porwalameet
commented
6 months ago @mohag @humblec any update on this. We keep getting security warnings for the same.
porwalameet
commented
5 months ago @mohag @humblec, this CVE is getting highlighted. Is there any plan for fixing this?
mohag
commented
5 months ago CentOS Stream 8 is EoL soon.... (The images likely need to move to CentOS Stream 9 (or something else))
I suspect that the main problem is that Trivy uses the RHEL vulnerability database for CentOS Stream and that the package versions no longer align closely enough. (The fixes for RHEL may / may not exist for CentOS Stream as well it seems) See Q4 here
Trivy has a PR for CentOS Stream support
The rebuilds of the base container only helps if these containers are rebuilt after the base image has been updated... I'm not sure if there are scheduled rebuilds or if they are only build on new releases. (and looking at the CentOS FAQ and Trivy issues about CentOS Stream, it seems like an up to date CentOS Stream might still contain vulnerabilities that is fixed in RHEL)
porwalameet
commented
5 months ago Yes, up to date CentOS stream might contain some vulnerabilities. However, these are incrementally fixed. Following same procedure, for other repos. as base image is updated, previously known vulnerabilities will be patched.
Any timeline for moving to CentOS Stream 9?
github-actions[bot]
commented
4 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Starttoaster
commented
4 months ago I'd like this Issue to remain open while the Ceph image still reports a critical level vulnerability.
github-actions[bot]
commented
4 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Starttoaster
commented
4 months ago bump
humblec
commented
4 months ago @ktdreyer any help to take care of this from base container pov ?
Starttoaster
commented
4 months ago Fwiw, I'm coming from a place here where I would like to help with fixing this. At least for the Critical level Joblib vulnerability which is resolved in Joblib 1.2.0. But I don't know much about Joblib, how its introduced in the ceph image, or what issues could arise from upgrading it to 1.2.0 from what appears to be installed in the container (0.16.0). But it would be excellent to take care of this if we can, Ceph is a critical piece of infrastructure to many, and it would be sad to see it go unmaintained
So if the maintainer team doesn't have resources for fixing this, maybe they have resources to guide me into fixing it for them?
This screenshot is from my k8s cluster vulnerability scanner dashboard, and is for the ceph-csi image which uses the image from this repository as a base
@humblec fwiw I think the Medium and Low severity vulnerabilities from this screenshot are probably actually introduced in the ceph-csi image.
github-actions[bot]
commented
3 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Starttoaster
commented
3 months ago Not stale. These stale Issue notifications are pretty annoying to be honest. I'll just keep re-upping this Issue as long as I am alive :smile:
github-actions[bot]
commented
3 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Starttoaster
commented
3 months ago Not stale
github-actions[bot]
commented
2 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Starttoaster
commented
2 months ago Still relevant as far as I am aware
sfackler
commented
2 months ago CentOS Stream 8 went EOL ~3 weeks ago.
github-actions[bot]
commented
1 month ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
sfackler
commented
1 month ago CentOS Stream 8 went EOL ~5 weeks ago.
github-actions[bot]
commented
1 month ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
github-actions[bot]
commented
3 weeks ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
mohag
commented
3 weeks ago .
github-actions[bot]
commented
1 week ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
github-actions[bot]
commented
1 day ago This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.
We use latest image hash of ceph in our ( ceph-csi github.com/ceph/ceph-csi) container build process and running the scanner against the build returns too many vulnarabilities . This has become an issue for many users and also for the secuirty reports generated on ceph csi image. We can not do anything to fix these issues in our image or iow, it has to be fixed here.
Can you consider this in prioirty and address these vulnarabilities?
A recent run report can be seen here:
https://github.com/ceph/ceph-csi/issues/3538