CVEs on the existing glibc version of the latest image

cuguilke commented 3 weeks ago

Hi,

I see multiple CVEs found in the existing glibc version in registry.k8s.io/csi-secrets-store/driver:v1.4.3 (via trivy):

trivy_output_csi_secrests_store

Any ETA on the next release?

Thanks in advance,

Ilke Cugu

aramase commented 3 weeks ago

v1.4.4 released and doesn't contain any CVEs.

➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/csi-secrets-store/driver:v1.4.4
2024-06-18T14:29:11.118-0700    INFO    Need to update DB
2024-06-18T14:29:11.118-0700    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-06-18T14:29:11.118-0700    INFO    Downloading DB...
48.16 MiB / 48.16 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 20.94 MiB p/s 2.5s
2024-06-18T14:29:14.784-0700    INFO    Vulnerability scanning is enabled
2024-06-18T14:29:14.784-0700    INFO    Secret scanning is enabled
2024-06-18T14:29:14.784-0700    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-18T14:29:14.784-0700    INFO    Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection
2024-06-18T14:29:17.419-0700    INFO    Detected OS: debian
2024-06-18T14:29:17.419-0700    INFO    Detecting Debian vulnerabilities...
2024-06-18T14:29:17.428-0700    INFO    Number of language-specific files: 1
2024-06-18T14:29:17.428-0700    INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/csi-secrets-store/driver:v1.4.4 (debian 12.5)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Closing this issue now. As per cadence, the next release will be next month.

/close

k8s-ci-robot commented 3 weeks ago

@aramase: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/secrets-store-csi-driver/issues/1544#issuecomment-2177044435): >[v1.4.4](https://github.com/kubernetes-sigs/secrets-store-csi-driver/releases/tag/v1.4.4) released and doesn't contain any CVEs. > >```bash >➜ trivy image --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL registry.k8s.io/csi-secrets-store/driver:v1.4.4 >2024-06-18T14:29:11.118-0700 INFO Need to update DB >2024-06-18T14:29:11.118-0700 INFO DB Repository: ghcr.io/aquasecurity/trivy-db >2024-06-18T14:29:11.118-0700 INFO Downloading DB... >48.16 MiB / 48.16 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 20.94 MiB p/s 2.5s >2024-06-18T14:29:14.784-0700 INFO Vulnerability scanning is enabled >2024-06-18T14:29:14.784-0700 INFO Secret scanning is enabled >2024-06-18T14:29:14.784-0700 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning >2024-06-18T14:29:14.784-0700 INFO Please see also https://aquasecurity.github.io/trivy/v0.48/docs/scanner/secret/#recommendation for faster secret detection >2024-06-18T14:29:17.419-0700 INFO Detected OS: debian >2024-06-18T14:29:17.419-0700 INFO Detecting Debian vulnerabilities... >2024-06-18T14:29:17.428-0700 INFO Number of language-specific files: 1 >2024-06-18T14:29:17.428-0700 INFO Detecting gobinary vulnerabilities... > >registry.k8s.io/csi-secrets-store/driver:v1.4.4 (debian 12.5) > >Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0) >``` > >Closing this issue now. As per cadence, the next release will be next month. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

kubernetes-sigs / secrets-store-csi-driver

CVEs on the existing glibc version of the latest image #1544