Closed humblec closed 1 day ago
Red Hat rebuilt the stream8 container, so rebuilding this one now should help...
@mohag , @humblec We ran trivy scan on latest cephcsi image, and still see a CRITICAL vulnerability being open from long time.
The vulnerability CVE-2022-21797 is still open. Is it possible we can patch base image and get this CVE fixed.
There was one upgrade to base image done in Feb 23, https://github.com/ceph/ceph-csi/pull/3635, however this CVI is still open.
To add, base image from redhat stream 8 container, is updated: https://bugzilla.redhat.com/show_bug.cgi?id=2166562#c3 for 8stream
@mohag @humblec any update on this. We keep getting security warnings for the same.
@mohag @humblec, this CVE is getting highlighted. Is there any plan for fixing this?
CentOS Stream 8 is EoL soon.... (The images likely need to move to CentOS Stream 9 (or something else))
I suspect that the main problem is that Trivy uses the RHEL vulnerability database for CentOS Stream and that the package versions no longer align closely enough. (The fixes for RHEL may / may not exist for CentOS Stream as well it seems) See Q4 here
Trivy has a PR for CentOS Stream support
The rebuilds of the base container only helps if these containers are rebuilt after the base image has been updated... I'm not sure if there are scheduled rebuilds or if they are only build on new releases. (and looking at the CentOS FAQ and Trivy issues about CentOS Stream, it seems like an up to date CentOS Stream might still contain vulnerabilities that is fixed in RHEL)
Yes, up to date CentOS stream might contain some vulnerabilities. However, these are incrementally fixed. Following same procedure, for other repos. as base image is updated, previously known vulnerabilities will be patched.
Any timeline for moving to CentOS Stream 9?
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
I'd like this Issue to remain open while the Ceph image still reports a critical level vulnerability.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
bump
@ktdreyer any help to take care of this from base container pov ?
Fwiw, I'm coming from a place here where I would like to help with fixing this. At least for the Critical level Joblib vulnerability which is resolved in Joblib 1.2.0. But I don't know much about Joblib, how its introduced in the ceph image, or what issues could arise from upgrading it to 1.2.0 from what appears to be installed in the container (0.16.0). But it would be excellent to take care of this if we can, Ceph is a critical piece of infrastructure to many, and it would be sad to see it go unmaintained
So if the maintainer team doesn't have resources for fixing this, maybe they have resources to guide me into fixing it for them?
This screenshot is from my k8s cluster vulnerability scanner dashboard, and is for the ceph-csi image which uses the image from this repository as a base
@humblec fwiw I think the Medium and Low severity vulnerabilities from this screenshot are probably actually introduced in the ceph-csi image.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Not stale. These stale Issue notifications are pretty annoying to be honest. I'll just keep re-upping this Issue as long as I am alive :smile:
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Not stale
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
Still relevant as far as I am aware
CentOS Stream 8 went EOL ~3 weeks ago.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
CentOS Stream 8 went EOL ~5 weeks ago.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions.
This issue has been automatically closed due to inactivity. Please re-open if this still requires investigation.
We use latest image hash of ceph in our ( ceph-csi github.com/ceph/ceph-csi) container build process and running the scanner against the build returns too many vulnarabilities . This has become an issue for many users and also for the secuirty reports generated on ceph csi image. We can not do anything to fix these issues in our image or iow, it has to be fixed here.
Can you consider this in prioirty and address these vulnarabilities?
A recent run report can be seen here:
https://github.com/ceph/ceph-csi/issues/3538