Open efasel opened 1 month ago
Thank you for the ticket on this @efasel. I've alerted our team and we will be assessing asap.
@efasel Thank you for calling this out for us! We'll have a fix merged shortly.
@sharon-fdm We have an open PR to update the base image that is building for everything except PKG. @rfairburn started on this but is out for a couple of weeks, so I'm sending this to EO for triage and to get it over the finish line. Since this is a security issue, I'm escalating to a P2
to expedite.
Hi !
Since we have Vanta in our system, the docker image that we store on our cloud gives us a lot of VULN alerts
openSSL is one of them but they are many more (see screen)
It will block us in our SOC2 certification if we are not able to get the most critial one fixed
Is it possible to tackle them aswell ?
Thanks π
@valentinpezon-primo Thanks for the heads up!
@sharon-fdm @lucasmrod Can we tackle the additional vulns reported by @valentinpezon-primo as part of this bug, or should we open a separate bug ticket?
UPDATE:
pkg
s, the fleetctl
executable uses the fleetdm/bomutils docker image.fleetctl
executable + all its dependencies. Such dependencies are copied from the fleetdm/bomutils docker image itself when building the image.So, we need to update the base images of both fleetdm/bomutils
and fleetdm/fleetctl
. (This is why we increased the estimation from 3 to 5.)
@xpkoala Added QA notes.
Fleet version: v4.54.0
Web browser and operating system: β
π₯ Β Actual behavior
result of trivy scanner:
π§βπ» Β Steps to reproduce
β
π―οΈ More info (optional)
update to latest debian stable-slim image: https://hub.docker.com/_/debian/tags?page=&page_size=&ordering=&name=stable-slim
QA notes
To test these changes you will need to build
fleetdm/wix
,fleetdm/bomutils
andfleetdm/fleetctl
locally (which should overwrite the remote tags):The following should be tested on a macOS AND a Linux host (with Docker installed):
Then test generating all the
pkg|msi|deb|rpm
packages both with thefleetctl
executable (as usual) and with thefleetdm/fleetctl
docker image.fleetctl
executable is the usual way we build packages.fleetdm/fleetctl
is similar invocation but using docker instead of the fleetctl executable:docker run -v "$(pwd):/build" fleetdm/fleetctl package --type ... --enroll-secret=foo --fleet-url=https://localhost:8080