Closed anshulgangrade closed 4 weeks ago
Thank you for your report.
We are running trivy scan to find out vulnerabilities in influxdb container. We see that alpine have low severity for 2 packages but there are many CVE's reported on golang libraries as below.
I have locally generated and looked at the trivy
report and while it's true that it lists a number of issues, keep in mind:
alpine
base image is older, influxdb
itself is a statically linked golang program and will not use system libraries (other than libc with 1.8 OSS container builds) or other software from the alpine
base imageinfluxd
binary for various reasons (code not used, code not imported, code not used in an affected way, affected code not under attacker control, etc). trivy
also had a few false positives in this areainfluxd
binary (eg, code not used, code not imported, Windows-only, compiler-only, not under attacker control, etc)All that said, there are a few open golang stdlib issues. While InfluxDB 1.8 OSS is still supported, it is in deep maintenance and currently receives updates for serious security issues and none of the open issues are serious within the context of the influxd
binary. InfluxData closely follows security alerts across its product line (including InfluxDB 1.8 OSS) and if/when a serious issue comes up that affects 1.8, we'll release a new InfluxDB 1.8.11 OSS version built with an up to date golang compiler and/or release a new container build.
@jdstrand Thanks for the comments. However, our cybersecurity assessment on vulnerabilities scans fails and we cannot deploy this in our cluster. Can we have a new release for influxdb with the updated libraries?
Appreciate your help with this :)
Name and Version influxdb:1.8.10-alpine
What steps will reproduce the bug? Posting it here as i could not report the security vulnerability as an issue due to the policy.
We are running trivy scan to find out vulnerabilities in influxdb container. We see that alpine have low severity for 2 packages but there are many CVE's reported on golang librariesas below. Please suggest how to fix it?
trivy image --format template --template "@contrib/html.tpl" -o influxdb-alpine_report.html influxdb:1.8.10-alpine --ignore-unfixed
What is the expected behavior?
$ trivy image influxdb:1.8.10-alpine --ignore-unfixed
Attached is the pdf report. Expected behavior is to have 0 vulnerability. influxdb_1.8.10-alpine.pdfAdditional information how to remediate the CVEs reported