Closed nikhil-bhat closed 5 months ago
This issue is currently awaiting triage.
If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
Could you run with main branch again?
https://github.com/kubernetes/kube-state-metrics/pull/2352 was merged recently.
@CatherineF-dev i built the image locally . that image seems to be clear of any vulnerability. However is the main branch image published anywhere. Do you know when v2.12.0 will be released.
Could you verify v2.12.0? Seems released https://github.com/kubernetes/kube-state-metrics/pull/2335
hi @CatherineF-dev i see #2335 is merged but it is not released yet it seems.
Could you try again
Thanks a ton @CatherineF-dev
Ran image Scan docker scout cves registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.11.0 and found CVE:
Packages and Vulnerabilities
https://scout.docker.com/v/CVE-2024-24786 https://github.com/advisories/GHSA-8r3f-844c-mc37
CVE report should be clean:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?: I see 3 open PRs #2342 #2341 #2340 which reference this issue. I see based on https://github.com/advisories/GHSA-8r3f-844c-mc37 that issue is related to protobuf, ran a go mod why to check from which dependency these indirect dependency are arising. It seems it is due to prometheus
I am willing to contribute to fix the issue in case the og contributors need any help
Environment:
kubectl version
): NA