Closed ira-gordin-sap closed 8 months ago
Thank you feedback.
But it seems that these are false-positive cases.
docker run --rm anchore/grype:latest fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-1.0 | grep -v Negligible | grep -v "won't fix"
With excluding "Negligible" and "Won't fix" ones, only linux-libc-dev (header files) is detected. NOTE: uri 0.12.1 is installed but not used because newer 0.12.2 is installed to fix CVE.
Thanks a lot, @kenhys! What with linux-libc-dev?
linux-libc-dev is collection of header files. It may be false positive because fluentd doesn't use it directly.
In upcoming fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-amd64-2.0, linux-libc-dev will be omitted to reduce false-positive detection because usually it have nothing to do with runtime container use case.
It must be removed from not only base images, but also daemonset images itself.
https://github.com/fluent/fluentd-kubernetes-daemonset/pull/1476 Above PR will resolve it.
docker run --rm anchore/grype:latest fluent/fluentd-kubernetes-daemonset:v1.16.3-debian-opensearch-amd64-2.1 | grep -v Negligible | grep -v "won't fix"
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
uri 0.12.1 0.12.2 gem GHSA-hww2-5g85-429m Medium
Above one is already known - false positive.
fluent_fluentd-kubernetes-daemonset_sha256_05982e549d22ff0d18460f46dd50787a378107ccb4b0a94d1f2aa8b76c33c242-alerts-report.xlsx