Open sierracarloslm opened 1 year ago
Any movement on this? Still an issue today on the latest.
Hi @nolanvenhola 👋
Generally, these static scans provide unreliable results and they often report dependencies as containing "vulnerabilities" even though there's no way to exploit them when running Cube. If you know of any vulnerabilities that can be actually exploited, please report them either here or via security@cube.dev.
Also, please feel free to contribute PRs that upgrade dependencies that you consider vulnerable, that would be much appreciated.
Finally, please note that you can use Cube Cloud that utilizes a different runtime with different Docker containers and it's also SOC 2 certified.
If you are interested in working on this issue, please go ahead and provide PR for that. We'd be happy to review it and merge it. If this is the first time you are contributing a Pull Request to Cube, please check our contribution guidelines. You can also post any questions while contributing in the #contributors channel in the Cube Slack.
Describe the bug We are in the process of a SOC2 T2 audit. Part of the process is a vulnerability assessment of all images, and containers.
We ran a static scan on the latest (0.32) Docker image version. Based on the scans from Docker that latest version has 75 vulnerabilities, and 4 of those are critical. See image below.
Most likely, these vulnerabilities will have an impact on other organizations aldo running formal security audits. As per our SOC2, critical vulnerabilities have an SLA for resolution of 14 days.
This issue was communicated via Slack. @keydunov asked us to file this Github issue.
To Reproduce Open Docker Desktop and run scan
Version: V0.32.14