Open w13915984028 opened 2 months ago
w13915984028
commented
2 months ago The used packages in network-controller are also surprising out-dated, e.g.
kubevirt.io/api => github.com/kubevirt/api v0.54.0
kubevirt.io/client-go => github.com/kubevirt/client-go v0.54.0
brandboat
commented
2 months ago Yeah, many dependencies are quite outdated. I also ran a Trivy scan for CVEs on rancher/harvester-network-controller:v0.5.2, and the results showed Total: 15 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 7, CRITICAL: 0). I'm uncertain if we should update all the dependencies affected by these CVEs, but I wanted to flag this for consideration. Perhaps we could address them all at once. c.c. @bk201, @mingshuoqiu
Execute docker run aquasec/trivy image docker.io/rancher/harvester-network-controller:v0.5.2
2024-09-20T04:38:59Z INFO [secret] Secret scanning is enabled
2024-09-20T04:38:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-20T04:38:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-20T04:39:04Z INFO Detected OS family="suse linux enterprise server" version="15.6"
2024-09-20T04:39:04Z INFO [suse linux enterprise server] Detecting vulnerabilities... os_version="15.6" pkg_num=146
2024-09-20T04:39:04Z INFO Number of language-specific files num=1
2024-09-20T04:39:04Z INFO [gobinary] Detecting vulnerabilities...
docker.io/rancher/harvester-network-controller:v0.5.2 (suse linux enterprise server 15.6)
=========================================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
usr/bin/harvester-network-controller (gobinary)
===============================================
Total: 15 (UNKNOWN: 0, LOW: 1, MEDIUM: 7, HIGH: 7, CRITICAL: 0)
┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/rancher/apiserver │ CVE-2023-32192 │ HIGH │ fixed │ v0.0.0-20230120214941-e88c32739dc7 │ 0.0.0-20240207153957-4fd7d821d952 │ Rancher API Server Cross-site Scripting Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-32192 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤ │ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/rancher/norman │ CVE-2023-32193 │ │ │ v0.0.0-20221205184727-32ef2e185b99 │ 0.0.0-20240207153100-3bb70b772b52 │ Norman API Cross-site Scripting Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-32193 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤ │ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/rancher/rancher │ CVE-2019-12274 │ │ │ v0.0.0-20230124173128-2207cfed1803 │ 2.2.4, 1.6.27 │ Rancher Privilege Escalation Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-12274 │
│ ├─────────────────────┤ │ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-36775 │ │ │ │ 2.4.18, 2.5.12, 2.6.3 │ Rancher's Failure to delete orphaned role bindings does not │
│ │ │ │ │ │ │ revoke project level... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-36775 │
│ ├─────────────────────┼──────────┼──────────┤ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2019-11881 │ MEDIUM │ affected │ │ │ Rancher Login Parameter Can Be Edited │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-11881 │
│ ├─────────────────────┤ ├──────────┤ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2021-25313 │ │ fixed │ │ 2.5.6, 2.4.14, 2.3.11 │ Rancher Cross-site Scripting Vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-25313 │
│ ├─────────────────────┼──────────┤ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-wm2r-rp98-8pmh │ LOW │ │ │ 2.5.13, 2.6.4 │ Exposure of SSH credentials in Rancher/Fleet │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-wm2r-rp98-8pmh │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ go.opentelemetry.io/contrib/instrumentation/net/http/otelht- │ CVE-2023-45142 │ HIGH │ │ v0.20.0 │ 0.44.0 │ opentelemetry: DoS vulnerability in otelhttp │
│ tp │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45142 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┤ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2023-48795 │ MEDIUM │ │ v0.14.0 │ 0.17.0 │ ssh: Prefix truncation attack on Binary Packet Protocol │
│ │ │ │ │ │ │ (BPP) │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-48795 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤ │ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ │ │ v0.17.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├──────────────────────────────────────────────────────────────┼─────────────────────┤ │ ├────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/protobuf │ CVE-2024-24786 │ │ │ v1.30.0 │ 1.33.0 │ golang-protobuf: encoding/protojson, internal/encoding/json: │
│ │ │ │ │ │ │ infinite loop in protojson.Unmarshal when unmarshaling │
│ │ │ │ │ │ │ certain forms of... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24786 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ kubevirt.io/kubevirt │ CVE-2023-26484 │ HIGH │ affected │ v0.54.0 │ │ kubevirt: Incorrect Authorization │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-26484 │
│ ├─────────────────────┤ ├──────────┤ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ GHSA-qv98-3369-g364 │ │ fixed │ │ 0.55.1 │ KubeVirt vulnerable to arbitrary file read on host │
│ │ │ │ │ │ │ https://github.com/advisories/GHSA-qv98-3369-g364 │
│ ├─────────────────────┼──────────┼──────────┤ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-31420 │ MEDIUM │ affected │ │ │ cnv: DoS through repeatedly calling vm-dump-metrics until │
│ │ │ │ │ │ │ virt handler crashes │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-31420 │
│ ├─────────────────────┤ │ │ ├───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ │ CVE-2024-33394 │ │ │ │ │ kubevirt allows a local attacker to execute arbitrary code │
│ │ │ │ │ │ │ via a crafted... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-33394 │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘
bk201
commented
2 months ago @w13915984028 do we need this for 1.4.0?
w13915984028
commented
2 months ago @bk201 This issue itself it targeted to decouple network-controller and harvester, add the nad and vmi to generator to get the required controller code & bump kube-virt version, then network-controller does not need to import them from Harvester. My PR https://github.com/harvester/network-controller-harvester/pull/117 is on the half way. Will try to finish it next week.
What @brandboat mentioned is more general, the network-controller needs to bump those dependencies as more as possible, that is better to be included in v1.4.0, but I have no time to bump all & test them now.
Is your enhancement related to a problem? Please describe.
Harvester-network-controller imports Harvester and the go mod still stayed on v1.1.2-rc8
https://github.com/harvester/network-controller-harvester/blob/9892fc188d42b327e968acd2827038142f2085ad/go.mod#L69
The futher potential cross dependency (via PR https://github.com/harvester/harvester/pull/6538 and issue https://github.com/harvester/harvester/issues/2995) will also be a trouble.
Describe the solution you'd like
Drop the dependency on Harvester; or bump to latest version
Describe alternatives you've considered
Additional context
Observed when debugging https://github.com/harvester/network-controller-harvester/pull/116