search

kubernetes / kube-state-metrics

Add-on agent to generate and expose cluster-level metrics.
https://kubernetes.io/docs/concepts/cluster-administration/kube-state-metrics/
Apache License 2.0
5.36k stars 2k forks source link

CVEs in v2.13.0 #2512

Open jranabahu opened 6 days ago

jranabahu commented 6 days ago

What happened:

trivy scanning reports 3(1 HIGH and 2 MEDIUM) CVEs in 2.13.0 image. 

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

What you expected to happen: For this for get resolved with the updates. Atleast for high severity.

How to reproduce it (as minimally and precisely as possible): Scanning the image through trivy

Anything else we need to know?: Let me know if this is not right way to submit

k8s-ci-robot commented 6 days ago

This issue is currently awaiting triage.

If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.