Closed kingdonb closed 2 years ago
Looks like merging this and tagging the resulting build would take care of all those, minus the SOPS issue that I mentioned can't be mitigated without a breaking upgrade (and here is the clean scan output):
$ docker scan kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...
Organization: kingdonb
Package manager: apk
Project name: docker-image|kingdonb/flux
Docker image: kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Platform: linux/amd64
Base image: alpine:3.15.4
Licenses: enabled
✔ Tested 68 dependencies for known issues, no vulnerable paths found.
According to our scan, you are currently using the most secure version of the selected base image
-------------------------------------------------------
Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...
Organization: kingdonb
Package manager: gomodules
Target file: /usr/local/bin/fluxd
Project name: github.com/fluxcd/flux
Docker image: kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Licenses: enabled
✔ Tested 469 dependencies for known issues, no vulnerable paths found.
-------------------------------------------------------
Testing kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip...
✗ High severity vulnerability found in github.com/dgrijalva/jwt-go
Description: Access Restriction Bypass
Info: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
Introduced through: github.com/dgrijalva/jwt-go@3.2.0+incompatible
From: github.com/dgrijalva/jwt-go@3.2.0+incompatible
Fixed in: 4.0.0-preview1
Organization: kingdonb
Package manager: gomodules
Target file: /usr/local/bin/sops
Project name: go.mozilla.org/sops/v3
Docker image: kingdonb/flux:renovate-githubcom-prometheus-clientgolang-1x-08cff926-wip
Licenses: enabled
Tested 167 dependencies for known issues, found 1 issue.
Tested 3 projects, 1 contained vulnerable paths.
Suggested by Renovate and Snyk, there is a medium sev reported in
prometheus/client_golang
which we could upgrade:This is just the one issue I noticed that we can do something about right away, I just decided to drop in and scope out potential changes for a next release since we are coming up on 30 days since the last one.
There are also critical reports from
pcre2/pcre2
introduced by our base image (alpine:3.15.4
), it's not clear when a new base image patch version will be released, so if we can mitigate this manually or just check for it in the resulting build, which I'm testing out now as I submit this.Perhaps it will be updated out without a rev in the base image, but I think we don't run
apk update
in our build process if it's not, so we may have to either change that, or wait for a new revision, and I'm inclined to just wait.Not exactly sure how they do things at Alpine HQ to be honest, but I'm sure they're on top of this, so maybe we want to delay a release until this all can be resolved out too, (I will look for it in the test build result):
The last recorded issue from the scan, which I'll mention just for completeness, is another one which I'm not sure we can do anything about, since SOPS @
v4
must likely contain a breaking change else it would not have got a major increment, I don't know if we can adopt this upgrade or if we've already covered this in prior discussions.(But I know the
jwt-go
vulnerability was mitigated in one of our most recent releases, thanks @pjbgf):I am not in any hurry to push the release button again, just testing. 👍