Multiple security issues in libraries - please rebuild the py image and create a maintenance version - Githubissues

getsentry / sentry-kubernetes

Kubernetes event reporter for Sentry

Apache License 2.0

458 stars 64 forks source link

Multiple security issues in libraries - please rebuild the py image and create a maintenance version #86

Closed georgkoester closed 6 months ago

georgkoester commented 8 months ago

Environment

py1.0.0a on Kubernetes

Steps to Reproduce

What: Just run a security scanner like trivy, and various old and new issues show, here are a few more recent critical ones: CVE-2022-1292 libssl1.1 1.1.0j-1~deb9u1 , CVE-2022-22823 Libexpat1 2.2.0-2+deb9u1 , CVE-2022-22823 Libexpat1 2.2.0-2+deb9u1 , CVE-2022-22823 Libexpat1 2.2.0-2+deb9u1 I am getting at least 40 criticals, and many are newer than 2020, the release of py1.0.0a . 105 critical and high in total.

This currently raises doubts about the sentry brand and the fitness for our purposes.

Expected Result

New maintenance release with current versions of dependencies available.

Actual Result

105 high and criticals in very old available last release.

tonyo commented 7 months ago

The legacy Python implementation is quite old and basically abandoned, we won't be updating it.

Please consider using the current (Go) implementation, Docker images for it are currently hosted in GitHub container registry: https://github.com/getsentry/sentry-kubernetes/pkgs/container/sentry-kubernetes