search

fluent / fluentd-kubernetes-daemonset

Fluentd daemonset for Kubernetes and it Docker image
Apache License 2.0
1.27k stars 981 forks source link

42 CVEs(including Critical and High) found in latest Docker image "fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-1.0" #1470

Closed ira-gordin-sap closed 8 months ago

ira-gordin-sap commented 8 months ago

fluent_fluentd-kubernetes-daemonset_sha256_05982e549d22ff0d18460f46dd50787a378107ccb4b0a94d1f2aa8b76c33c242-alerts-report.xlsx

kenhys commented 8 months ago

Thank you feedback.

But it seems that these are false-positive cases.

docker run --rm anchore/grype:latest fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-1.0 | grep -v Negligible | grep -v "won't fix"

With excluding "Negligible" and "Won't fix" ones, only linux-libc-dev (header files) is detected. NOTE: uri 0.12.1 is installed but not used because newer 0.12.2 is installed to fix CVE.

ira-gordin-sap commented 8 months ago

Thanks a lot, @kenhys! What with linux-libc-dev?

kenhys commented 8 months ago

linux-libc-dev is collection of header files. It may be false positive because fluentd doesn't use it directly.

In upcoming fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-amd64-2.0, linux-libc-dev will be omitted to reduce false-positive detection because usually it have nothing to do with runtime container use case.

kenhys commented 8 months ago

It must be removed from not only base images, but also daemonset images itself.

https://github.com/fluent/fluentd-kubernetes-daemonset/pull/1476 Above PR will resolve it.

kenhys commented 8 months ago 
docker run --rm anchore/grype:latest fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-amd64-2.1 | grep -v Negligible | grep -v "won't fix"
NAME                INSTALLED          FIXED-IN     TYPE  VULNERABILITY        SEVERITY   
uri                 0.12.1             0.12.2       gem   GHSA-hww2-5g85-429m  Medium

Above one is already known - false positive.