stefanprodan
commented
1 year ago What makes you think kustomize-controller is affected by these?
Closed tk-l2002 closed 1 year ago
stefanprodan
commented
1 year ago What makes you think kustomize-controller is affected by these?
tk-l2002
commented
1 year ago I cannot state if the controller is affected by these vulnerabilities. We reporting this because, our security policy require do not run the images with critical vulnerabilities
stefanprodan
commented
1 year ago The Flux team is aware of OS CVEs in our images, as they are reported here: https://artifacthub.io/packages/helm/fluxcd-community/flux2?modal=security-report.
We plan to do a Flux release by the end of this month. If you can't wait, feel free to build your own images. To build kustomize-controller see https://github.com/fluxcd/kustomize-controller/blob/main/DEVELOPMENT.md#how-to-install-the-controller
tk-l2002
commented
1 year ago Thank you, for the news & tip.
stefanprodan
commented
1 year ago By the way, Flux is not an email client nor an email server, so I don't see how the Libksba CVEs can affect any of our controllers.
stefanprodan
commented
1 year ago @tk-l2002 we've made available a release candidate for kustomize-controller with no OS CVEs. Please see https://github.com/fluxcd/kustomize-controller/pull/786
tk-l2002
commented
1 year ago Ok, thanks for that
stefanprodan
commented
1 year ago Flux v0.39.0 is out now
Describe the bug
Our container scanner, GKE Security Posture, has reported the following issues in "ghcr.io/fluxcd/kustomize-controller:v0.32.0":
Steps to reproduce
Run a container scanning tool such as GKE Security Posture.
Expected behavior
The kustomize controller does not contain any high or critical CVEs.
Screenshots and recordings
No response
OS / Distro
N/A
Flux version
N/A
Flux check
N/A
Git provider
No response
Container Registry provider
No response
Additional context
No response
Code of Conduct