search

kubeflow / manifests

A repository for Kustomize manifests
Apache License 2.0
798 stars 864 forks source link

Vulnerability remediation for CRITICAl and HIGH in latest KF chart #2132

Closed psheorangithub closed 1 year ago

psheorangithub commented 2 years ago

The latest KF release 1.4.1 have total 43 HIGH and CRITICAL vulnerabilities. Do you have any plans to remediate them? I see few of them are due to the latest chart of apps not being used. FEAST ( https://github.com/feast-dev/feast/releases/tag/v0.18.0 ) is one of the example.

IMAGE TAG CVE SEVERITY
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2018-16873 HIGH
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2018-16875 HIGH
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2019-13115 HIGH
docker.io/bitnami/postgresql 11.7.0-debian-10-r9 CVE-2021-3156 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2018-16873 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2018-16875 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2019-13115 HIGH
docker.io/bitnami/redis 5.0.7-debian-10-r32 CVE-2021-3156 HIGH
docker.io/kubeflowkatib/pytorch-mnist v1beta1-45c5727 CVE-2019-3462 HIGH
docker.io/kubeflowkatib/tfevent-metrics-collector v0.12.0 CVE-2019-3462 HIGH
docker.io/kubeflowkatib/tfevent-metrics-collector v0.12.0 CVE-2020-15999 HIGH
gcr.io/arrikto/kubeflow/oidc-authservice 28c59ef CVE-2020-1967 HIGH
gcr.io/kf-feast/feast-core develop CVE-2014-0050 CRITICAL
gcr.io/kf-feast/feast-core develop CVE-2021-44228 CRITICAL
gcr.io/kf-feast/feast-core develop CVE-2021-45046 CRITICAL
gcr.io/kf-feast/feast-jobservice develop CVE-2019-17571 CRITICAL
gcr.io/kf-feast/feast-jobservice develop CVE-2020-24616 HIGH
gcr.io/kf-feast/feast-jobservice develop CVE-2021-3156 HIGH
gcr.io/kf-feast/feast-jobservice develop CVE-2022-23307 CRITICAL
gcr.io/kf-feast/feast-serving develop CVE-2014-0050 CRITICAL
gcr.io/kf-feast/feast-serving develop CVE-2020-24616 HIGH
gcr.io/kf-feast/feast-serving develop CVE-2021-44228 CRITICAL
gcr.io/kf-feast/feast-serving develop CVE-2021-45046 CRITICAL
gcr.io/kubebuilder/kube-rbac-proxy v0.4.0 CVE-2018-16873 HIGH
gcr.io/kubebuilder/kube-rbac-proxy v0.4.0 CVE-2018-16875 HIGH
gcr.io/ml-pipeline/api-server 1.7.0 CVE-2009-5155 HIGH
gcr.io/ml-pipeline/api-server 1.7.0 CVE-2018-100000 HIGH
gcr.io/ml-pipeline/frontend 1.7.0 CVE-2020-1967 HIGH
gcr.io/ml-pipeline/persistenceagent 1.7.0 CVE-2019-11253 HIGH
kfserving/storage-initializer v0.6.1 CVE-2021-44228 CRITICAL
kfserving/storage-initializer v0.6.1 CVE-2021-45046 CRITICAL
metacontroller/metacontroller v0.3.0 CVE-2009-5155 HIGH
metacontroller/metacontroller v0.3.0 CVE-2018-100000 HIGH
metacontroller/metacontroller v0.3.0 CVE-2018-16873 HIGH
metacontroller/metacontroller v0.3.0 CVE-2018-16875 HIGH
metacontroller/metacontroller v0.3.0 CVE-2019-3462 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/codeserver-python v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-cuda-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-pytorch-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-scipy v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-cuda-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/jupyter-tensorflow-full v1.4 CVE-2021-4034 HIGH
public.ecr.aws/j1r0q0g6/notebooks/notebook-servers/rstudio-tidyverse v1.4 CVE-2021-4034 HIGH
juliusvonkohout commented 1 year ago

/close

We are now at 1.7/1.8 Please join our security wg meeting or reach out on slack.

There has been no activity for a long time. Please reopen if necessary.

google-oss-prow[bot] commented 1 year ago

@juliusvonkohout: Closing this issue.

In response to [this](https://github.com/kubeflow/manifests/issues/2132#issuecomment-1693101120): >/close > >We are now at 1.7/1.8 Please join our security wg meeting or reach out on slack. > >There has been no activity for a long time. Please reopen if necessary. Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.