Container fails vulnerability scan, 3x CVE found.

kubevious / portable

Application-centric Kubernetes viewer and validator

https://kubevious.io

Apache License 2.0

74 stars 9 forks source link

Container fails vulnerability scan, 3x CVE found. #4

Open OliverCole opened 4 years ago

OliverCole commented 4 years ago

Describe the bug

I'd love to use this, but kubevious/portable:0.7.31 has some packages that fail our vulnerability scanning. Can these be upgraded?

To Reproduce

Steps to reproduce the behavior:

Scan with a popular scanner, such as Aqua.

Expected behavior

No vulnerabilities found.

Actual behaviour

CVE-2020-8237 found in json-bigint.
CVE-2020-8116 found in dot-prop.
CVE-2020-8203 found in lodash.

rubenhak commented 4 years ago

@OliverCole, thanks for bringing this up. Those packages are part of nested packages which would require some time to upgrade to more recent packages. Will update you with progress on this.

I also looked through those CVEs and they don't seem to be applicable, because Kubevious Portable is meant to be run on a workstation and not exposed to the outside. That eliminates possibility of such attack vectors.