search

kiwigrid / k8s-sidecar

This is a docker container intended to run inside a kubernetes cluster to collect config maps with a specified label and store the included files in a local folder.
MIT License
613 stars 183 forks source link

Trivy Scan CVE Findings #299

Closed bt909 closed 1 year ago

bt909 commented 1 year ago

There are some findings in the actual k8s-sidecar image.

...kiwigrid/k8s-sidecar:1.25.0 (alpine 3.18.2)
===================================================================================
Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 6, HIGH: 0, CRITICAL: 0)

┌────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│  Library   │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                            │
├────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto3 │ CVE-2023-2975 │ MEDIUM   │ fixed  │ 3.1.1-r1          │ 3.1.1-r2      │ AES-SIV cipher implementation contains a bug that causes it │
│            │               │          │        │                   │               │ to ignore empty...                                          │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2975                   │
│            ├───────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2023-3446 │          │        │                   │ 3.1.1-r3      │ Excessive time spent checking DH keys and parameters        │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│            ├───────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2023-3817 │          │        │                   │ 3.1.2-r0      │ Excessive time spent checking DH q parameter value          │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
├────────────┼───────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│ libssl3    │ CVE-2023-2975 │          │        │                   │ 3.1.1-r2      │ AES-SIV cipher implementation contains a bug that causes it │
│            │               │          │        │                   │               │ to ignore empty...                                          │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-2975                   │
│            ├───────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2023-3446 │          │        │                   │ 3.1.1-r3      │ Excessive time spent checking DH keys and parameters        │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3446                   │
│            ├───────────────┤          │        │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│            │ CVE-2023-3817 │          │        │                   │ 3.1.2-r0      │ Excessive time spent checking DH q parameter value          │
│            │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-3817                   │
└────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2023-08-08T09:32:03.815+0200    INFO    Table result includes only package filenames. Use '--format json' option to get the full path to the package file.

Python (python-pkg)
===================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                   Title                    │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ certifi (METADATA) │ CVE-2023-37920 │ CRITICAL │ fixed  │ 2023.5.7          │ 2023.7.22     │ Removal of e-Tugra root certificate        │
│                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-37920 │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

As python:3.11.4-alpine3.18 is used as base image, there is no update available at the moment (even python 3.12.b04 is not fixed). The findings found in the Alpine image are fixed in Alpine 3.18.3, but the Python image is based on Alpine 3.18.2.

Dependabot should fix the base image issues in the next time, but maybe the python-pkg issue needs to be fixed here.

bt909 commented 1 year ago

The Python Docker image seems now to be based on alpine 3.18.3 (python:3.11.4-alpine3.18 and python:3.12.0rc1-alpine3.18) and the libcrypto3 and libssl3 vulnerabilities are gone in these images.

ChristianGeie commented 1 year ago

checking k8s-sidecar:1.25.0 all CVE's mentioned above are still there. We are waiting for a update in upstream base image.

ChristianGeie commented 1 year ago

python base images was updated in v1.25.1, so all CVE's listed above should be fixed. @bt909 pls rescan using image v1.25.1

bt909 commented 1 year ago

Yes @ChristianGeie, all my mentioned CVEs are fixed in the v1.25.1 version. Thank you, I will close this issue as it is not an issue anymore.