Open aramase opened 1 week ago
I will rebuild that in the next cycle
/assign
Looks like go-runner also needs update:
go-runner (gobinary)
====================
Total: 1 (HIGH: 1, CRITICAL: 0)
┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-[34](https://github.com/Azure/kube-egress-gateway/actions/runs/10803240810/job/29966762466?pr=718#step:9:35)156 │ HIGH │ fixed │ 1.23.0 │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message │
│ │ │ │ │ │ │ which contains deeply nested structures... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-34156 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴───────────────────────────────────────────────────────────┘
We don't actually use OpenSSL? Or we shouldn't be (should be go stdlib crypto)
We can probably drop this from the image. I can't think why we even have it.
Something to investigate for sure ...
What happened:
CVE in
registry.k8s.io/build-image/distroless-iptables:v0.6.2
imageWhat you expected to happen:
New distroless-iptables images with CVEs resolved.