Open supreeth90 opened 2 years ago
I will take a look
/cc @bn222
While you're right that v3.3.2 has the vulnerabilities:
trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2
If you check the latest version, it does not have any:
trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin
Cosing the issue since it doesn't exist in master.
@supreeth90 thanks for reporting the issues! v3.3.2 is a tag, we don't maitain branch for it. It is recommended to upgrade to latest version. I'm closing it now, feel free to re-open if you think otherwise.
@bn222 we are pinning alpine version to 3.12 in Dockerfile, ran trivy on my local setup and it still hit those issues.
will submit PR to update Dockerfiles.
@adrianchiris @rollandf can we try to switch the image to centos or something else?
What happened?
HIGH and CRITICAL vulnerabilities found in ssriov-network-device-plugin v3.3.2 container image(ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2)
REPORT:
What did you expect to happen?
0 HIGH and CRITICAL security vulnerabilities
What are the minimal steps needed to reproduce the bug?
By running
trivy i --no-progress -s HIGH,CRITICAL --vuln-type os --exit-code 1 ghcr.io/k8snetworkplumbingwg/sriov-network-device-plugin:v3.3.2
Component Versions
Please fill in the below table with the version numbers of components used.
Config Files
Config file locations may be config dependent.
Device pool config file location (Try '/etc/pcidp/config.json')
Multus config (Try '/etc/cni/multus/net.d')
CNI config (Try '/etc/cni/net.d/')
Kubernetes deployment type ( Bare Metal, Kubeadm etc.)
Kubeconfig file
SR-IOV Network Custom Resource Definition
Logs
SR-IOV Network Device Plugin Logs (use
kubectl logs $PODNAME
)Multus logs (If enabled. Try '/var/log/multus.log' )
Kubelet logs (journalctl -u kubelet)