[BUG] deepflow-agent镜像存在严重漏洞

wyf0520 commented 3 months ago

Search before asking

[X] I had searched in the issues and found no similar feature requirement.

DeepFlow Component

Agent

What you expected to happen

deepflow-agent.log

How to reproduce

run trivy image --db-repository m.daocloud.io/ghcr.io/aquasecurity/trivy-db --java-db-repository m.daocloud.io/ghcr.io/aquasecurity/trivy-java-db registry.cn-hongkong.aliyuncs.com/deepflow-ce/deepflow-agent:v6.5

DeepFlow version

Defaulted container "deepflow-agent" out of: deepflow-agent, configure-sysctl (init) 10695-abf34f6137e57ec3371caa8ab72433f3343bbe81 Name: deepflow-agent community edition Branch: v6.5 CommitId: abf34f6137e57ec3371caa8ab72433f3343bbe81 RevCount: 10695 Compiler: rustc 1.77.1 (7cf61ebde 2024-03-27) CompileTime: 2024-07-11 12:04:49

DeepFlow agent list

ID NAME TYPE CTRL_IP CTRL_MAC STATE GROUP EXCEPTIONS REVISION UPGRADE_REVISION
1 xx.xx.xx.xx-V3 K8S_VM xx.xx.xx.xx 00:50:56:ad:1d:01 NORMAL default CONTROLLER_SOCKET_ERROR v6.5 10695
2 xx.xx.xx.xx-V1 K8S_VM xx.xx.xx.xx 00:50:56:ad:35:7f NORMAL default v6.5 10614
3 xx.xx.xx.xx-V2 K8S_VM xx.xx.xx.xx 00:50:56:ad:4e:74 NORMAL default v6.5 10614

Kubernetes CNI

flannel

Operation-System/Kernel version

4.4.0-142-generic

Anything else

No response

Are you willing to submit a PR?

[ ] Yes I am willing to submit a PR!

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Nick-0314 commented 3 months ago

Is it convenient to list the vulnerabilities directly? Propose solutions and whether you intend to submit a PR

wyf0520 commented 3 months ago

Library：usr/bin/ecapture stdlib Vulnerability: CVE-2024-24790 Severity: CRITICAL Status: fixed Installed Version: 1.21.5 Fixed Version： 1.21.11 1.22.4 Title：golang: net/netip: Unexpected behavior from Is methods for IPv4-mapped IPv6 addresses │ https://avd.aquasec.com/nvd/cve-2024-24790

xiaoyuan2019 commented 2 months ago

@Nick-0314 deepflow-app and deepflow-stella-agent-ce has high-risk vulnerability and critical vulnerability。

xiaoyuan2019 commented 2 months ago

deepflow-app.log deepflow-stella-agent.log

xiaoyuan2019 commented 3 weeks ago

@Nick-0314 大佬，v6.5版本的deepflow服务镜像都有高危漏洞，请问有排期解决吗？我们一些客户由于这个原因无法部署

Nick-0314 commented 3 weeks ago

@Nick-0314 大佬，v6.5版本的deepflow服务镜像都有高危漏洞，请问有排期解决吗？我们一些客户由于这个原因无法部署

@jiumos @LYootsz @1473371932 我已不再负责这部分工作后续可以找这几位同学处理

xiaoyuan2019 commented 3 weeks ago

@1473371932 大佬，v6.5版本的deepflow服务镜像都有高危漏洞，请问有排期解决吗？我们一些客户由于这个原因无法部署

deepflowio / deepflow