k8s-ci-robot
commented
1 month ago This issue is currently awaiting triage.
SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
dims
What happened:
At least these versions:
Latest Release:1.29.9 (released: 2024-09-10)
Latest Release:1.30.5 (released: 2024-09-10)
Latest Release:1.31.1 (released: 2024-09-11) did not include fix for CVE-2024-34156 which was released in go1.22.7 on 2024-09-05. Trivy scanner reports installed version 1.22.6 for all of them.
What you expected to happen:
CVE-2024-34156 fix is included
How to reproduce it (as minimally and precisely as possible):
RUN wget "https://dl.k8s.io/release/v1.29.9/bin/linux/amd64/kubectl" && \ wget "https://dl.k8s.io/v1.29.9/bin/linux/amd64/kubectl.sha256" && \ echo "$(cat kubectl.sha256) kubectl" | sha256sum -c && \ install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
trivy clean --scan-cache trivy image --scanners vuln --no-progress --severity HIGH,CRITICAL --ignore-unfixed $IMAGE