search

grafana / rollout-operator

Kubernetes Rollout Operator
Apache License 2.0
140 stars 19 forks source link

Update dependencies for CVEs and base image #23

Closed andyasp closed 2 years ago

andyasp commented 2 years ago

Original trivy scan results:

grafana/rollout-operator:v0.1.2 (alpine 3.14.8)
===============================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

bin/rollout-operator (gobinary)
===============================
Total: 19 (UNKNOWN: 5, LOW: 0, MEDIUM: 3, HIGH: 11, CRITICAL: 0)

┌─────────────────────────────────────┬─────────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│               Library               │    Vulnerability    │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/gogo/protobuf            │ CVE-2021-3121       │ HIGH     │ v1.3.1                             │ 1.3.2                             │ gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain   │
│                                     │                     │          │                                    │                                   │ index validation                                             │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-3121                    │
│                                     ├─────────────────────┼──────────┤                                    │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-c3h9-896r-86jm │ UNKNOWN  │                                    │                                   │ Due to improper bounds checking, maliciously crafted input   │
│                                     │                     │          │                                    │                                   │ to generated Unmarshal methods...                            │
│                                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-c3h9-896r-86jm            │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/prometheus/client_golang │ CVE-2022-21698      │ HIGH     │ v1.11.0                            │ 1.11.1                            │ prometheus/client_golang: Denial of service using            │
│                                     │                     │          │                                    │                                   │ InstrumentHandlerCounter                                     │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-21698                   │
│                                     ├─────────────────────┼──────────┤                                    │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-cg3q-j54f-5p7p │ UNKNOWN  │                                    │                                   │ The Prometheus client_golang HTTP server is vulnerable to a  │
│                                     │                     │          │                                    │                                   │ denial of service...                                         │
│                                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-cg3q-j54f-5p7p            │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto                 │ CVE-2020-29652      │ HIGH     │ v0.0.0-20200622213623-75b288015ac9 │ 0.0.0-20201216223049-8b5274cf687f │ golang: crypto/ssh: crafted authentication request can lead  │
│                                     │                     │          │                                    │                                   │ to nil pointer dereference                                   │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-29652                   │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-43565      │          │                                    │ 0.0.0-20211202192323-5770296d904e │ golang.org/x/crypto: empty plaintext packet causes panic     │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-43565                   │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2022-27191      │          │                                    │ 0.0.0-20220314234659-1baeb1ce4c0b │ golang: crash in a golang.org/x/crypto/ssh server            │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191                   │
│                                     ├─────────────────────┼──────────┤                                    │                                   ├──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-8c26-wmh5-6g9v │ UNKNOWN  │                                    │                                   │ Attackers can cause a crash in SSH servers when the server   │
│                                     │                     │          │                                    │                                   │ has...                                                       │
│                                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-8c26-wmh5-6g9v            │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-gwc9-m7rh-j2ww │          │                                    │ 0.0.0-20211202192323-5770296d904e │ Unauthenticated clients can cause a panic in SSH servers.    │
│                                     │                     │          │                                    │                                   │                                                              │
│                                     │                     │          │                                    │                                   │ When using AES-GCM or...                                     │
│                                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-gwc9-m7rh-j2ww            │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net                    │ CVE-2021-33194      │ HIGH     │ v0.0.0-20200625001655-4c5254603344 │ 0.0.0-20210520170846-37e1c6afe023 │ golang: x/net/html: infinite loop in ParseFragment           │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-33194                   │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-44716      │          │                                    │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization    │
│                                     │                     │          │                                    │                                   │ cache                                                        │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-44716                   │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2022-27664      │          │                                    │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
│                                     ├─────────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-31525      │ MEDIUM   │                                    │ 0.0.0-20210428140749-89ef3d95e781 │ golang: net/http: panic in ReadRequest and ReadResponse when │
│                                     │                     │          │                                    │                                   │ reading a very large...                                      │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-31525                   │
├─────────────────────────────────────┼─────────────────────┤          ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/sys                    │ CVE-2022-29526      │          │ v0.0.0-20210603081109-ebe580a85c40 │ 0.0.0-20220412211240-33da011f77ad │ golang: syscall: faccessat checks wrong group                │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-29526                   │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text                   │ CVE-2020-14040      │ HIGH     │ v0.3.2                             │ 0.3.3                             │ golang.org/x/text: possibility to trigger an infinite loop   │
│                                     │                     │          │                                    │                                   │ in encoding/unicode could lead to...                         │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-14040                   │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2021-38561      │          │                                    │ 0.3.7                             │ golang: out-of-bounds read in golang.org/x/text/language     │
│                                     │                     │          │                                    │                                   │ leads to DoS                                                 │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-38561                   │
│                                     ├─────────────────────┤          │                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ CVE-2022-32149      │          │                                    │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                                     │                     │          │                                    │                                   │ takes a long time to parse complex tags                      │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
│                                     ├─────────────────────┼──────────┤                                    ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                                     │ GHSA-5rcv-m4m3-hfh7 │ UNKNOWN  │                                    │ 0.3.3                             │ An attacker could provide a single byte to a UTF16 decoder   │
│                                     │                     │          │                                    │                                   │ instantiated...                                              │
│                                     │                     │          │                                    │                                   │ https://github.com/advisories/GHSA-5rcv-m4m3-hfh7            │
├─────────────────────────────────────┼─────────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/client-go                    │ CVE-2020-8565       │ MEDIUM   │ v0.18.17                           │ 0.20.0-alpha.2                    │ kubernetes: Incomplete fix for CVE-2019-11250 allows for     │
│                                     │                     │          │                                    │                                   │ token leak in logs when...                                   │
│                                     │                     │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2020-8565                    │
└─────────────────────────────────────┴─────────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

After these changes (ran on a local image built from make build-image):

rollout-operator:update-for-cves-0821763 (alpine 3.16.2)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
CLAassistant commented 2 years ago

CLA assistant check
All committers have signed the CLA.

andyasp commented 2 years ago

Yeah, this is over a year jump in multiple dependencies. I agree, I was thinking of tagging an RC version (v0.2.0-rc.0?) then setting that in a dev cell to watch a few rollouts to gain confidence in it.

On the bright side there weren't major version bumps in the direct dependencies updated and no modifications were required for this to still build.

colega commented 2 years ago

I have tested this on a local environment and it works fine :+1:

Thank you.