search

fluxcd / flux

Successor: https://github.com/fluxcd/flux2
https://fluxcd.io
Apache License 2.0
6.9k stars 1.08k forks source link

Snyk - Flagged warnings in the base image #3587

Closed kingdonb closed 2 years ago

kingdonb commented 2 years ago

Describe the bug

Expat has a number of critical and high severity warnings which are flagged in the scanner.

Organization:      kingdonb
Package manager:   apk
Project name:      docker-image|fluxcd/flux
Docker image:      fluxcd/flux:1.24.3
Platform:          linux/amd64
Base image:        alpine:3.14.3
Licenses:          enabled

Tested 60 dependencies for known issues, found 8 issues.

I tested and, we can eliminate most of these just by building another release image. That will require a semver PATCH release, because we're using immutable artifacts and this is GitOps. So I plan to publish 1.24.4 this week if possible.

There are a few issues flagged in the go modules as well, those will require a bit more effort to resolve. Issues are flagged in jwt-go and in the opencontainers/image-spec/specs-go packages. I should be able to take care of all this tomorrow and get the cranks turning so we can have image and chart releases out later this week.

Steps to reproduce

Compare docker scan fluxcd/flux:1.24.3 output to docker scan docker.io/kingdonb/flux:1.24.3

Expected behavior

There should be no critical or high severity vulnerabilities flagged in the Flux daemon image, if any remediations are available.

Kubernetes version / Distro / Cloud provider

N/A

Flux version

1.24.3

Git provider

No response

Container Registry provider

No response

Additional context

No response

Maintenance Acknowledgement

Code of Conduct

kingdonb commented 2 years ago

This has been deprioritized after a review of the listed vulnerabilities, and deferred momentarily while I participate in the important work towards Flux v2 graduation.