CVE in v2.11.0 Image - Githubissues

kubernetes / kube-state-metrics

Add-on agent to generate and expose cluster-level metrics.

https://kubernetes.io/docs/concepts/cluster-administration/kube-state-metrics/

Apache License 2.0

5.36k stars 2k forks source link

CVE in v2.11.0 Image #2349

Closed nikhil-bhat closed 5 months ago

nikhil-bhat commented 6 months ago

Ran image Scan docker scout cves registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.11.0 and found CVE:

Packages and Vulnerabilities

https://scout.docker.com/v/CVE-2024-24786 https://github.com/advisories/GHSA-8r3f-844c-mc37

CVE report should be clean:

How to reproduce it (as minimally and precisely as possible):

 docker scout cves registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.11.0

Anything else we need to know?: I see 3 open PRs #2342 #2341 #2340 which reference this issue. I see based on https://github.com/advisories/GHSA-8r3f-844c-mc37 that issue is related to protobuf, ran a go mod why to check from which dependency these indirect dependency are arising. It seems it is due to prometheus

I am willing to contribute to fix the issue in case the og contributors need any help

Environment:

kube-state-metrics version: 2.11.0
Kubernetes version (use kubectl version): NA
Cloud provider or hardware configuration: NA
Other info: NA

k8s-ci-robot commented 6 months ago

This issue is currently awaiting triage.

If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

CatherineF-dev commented 6 months ago

Could you run with main branch again?

https://github.com/kubernetes/kube-state-metrics/pull/2352 was merged recently.

nikhil-bhat commented 6 months ago

@CatherineF-dev i built the image locally . that image seems to be clear of any vulnerability. However is the main branch image published anywhere. Do you know when v2.12.0 will be released.

CatherineF-dev commented 6 months ago

Could you verify v2.12.0? Seems released https://github.com/kubernetes/kube-state-metrics/pull/2335

nikhil-bhat commented 6 months ago

hi @CatherineF-dev i see #2335 is merged but it is not released yet it seems.

CatherineF-dev commented 5 months ago

https://github.com/kubernetes/kube-state-metrics/releases

CatherineF-dev commented 5 months ago

Could you try again

nikhil-bhat commented 5 months ago

Thanks a ton @CatherineF-dev