Open debkantap opened 7 months ago
I can't comment on whether the security vulnerabilities currently present in the UDI are acceptable for your use case.
However, I see that at least 5 high severity vulnerabilities are coming from sdkman from the usage of JBang. I already fixed one vulnerability in the past, and the fix to upgrade JBang's dependencies should be simple enough.
There is a high severity vulnerability coming from JGit 5.7.0.202003110725-r though I'm not sure yet if this is coming from JBang or somewhere else.
However, from my understanding, if you are a Red Hat customer you should be using the downstream UDI image (which is free from any security vulnerabilities) instead of the community/upstream universal developer image.
Thanks for your reply.. I did check the redhat UDI image ..it is also have the vulnerabilities.
Issues go stale after 180
days of inactivity. lifecycle/stale
issues rot after an additional 7
days of inactivity and eventually close.
Mark the issue as fresh with /remove-lifecycle stale
in a new comment.
If this issue is safe to close now please do so.
Moderators: Add lifecycle/frozen
label to avoid stale mode.
/remove-lifecycle stale
Thanks for your reply.. I did check the redhat UDI image ..it is also have the vulnerabilities.
Sorry for the very slow reply.
There are 0 critical vulnerabilities in the RedHat UDI image, however there are other non-critical vulnerabilities. I believe the current consensus for this image is that the image cannot be shipped with any critical vulnerabilities.
I assume the non-critical vulnerabilities are still blockers for your usage?
Copying some information from a downstream UDI issue that was actually detailing a CVE present in the upstream UDI:
The upstream UDI image quay.io/devfile/universal-developer-image:ubi8-latest currently has the critical security vulnerability [CVE-2022-42889(https://nvd.nist.gov/vuln/detail/CVE-2022-42889).
This vulnerability comes from Apache Commons Text, though I am not sure where this library is being used as a dependency yet (maybe something being downloaded by sdkman?). The security scan from quay shows that the issue arises in the following layer:
RUN /bin/sh -c mkdir -p /home/user && chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # buildkit
hey @AObuchow thanks for the reply. may be it is because of chmod for passwd file.
TR Deb
hey @AObuchow thanks for the reply. may be it is because of chmod for passwd file.
TR Deb
Yes, this is something we are currently looking into. Thank you for the suggestion & follow-up @debkantap :)
Summary
Can we use Universal Developer Image as the base image for devfile in our custom devfile, as we see lots of vulnerability in the recent images from the quay site: https://quay.io/repository/devfile/universal-developer-image?tab=tags
Relevant information
No response