Fix CRITICAL level issues from CVE scanner - Githubissues

networkservicemesh / deployments-k8s

Apache License 2.0

42 stars 35 forks source link

Fix CRITICAL level issues from CVE scanner #12260

Open Ex4amp1e opened 3 months ago

Ex4amp1e commented 3 months ago

https://github.com/networkservicemesh/deployments-k8s/security

[x] Update go to v1.23 locally (code)
[x] Update go to v1.23 locally (base image)
[x] Update go to v1.23 (sdk) - minimal changes version https://github.com/networkservicemesh/sdk/pull/1664 (.github update required, Example: https://github.com/Ex4amp1e/.github/pull/1/commits/255dc4670535263c28acf41105a0f526e1eff97e)
[x] Provide remaining - 2 weeks
[x] Update go to v1.23 (code)
[x] Update go to v1.23 (base image) - https://github.com/networkservicemesh/deployments-k8s/issues/12283
[x] Update base to latest version ubuntu/alpine and etc. - https://github.com/networkservicemesh/deployments-k8s/issues/12283

denis-tingaikin commented 2 months ago

We decided to split work related to updating linter on two parts:

Update linter config to v1.23 with minimal changes
Provide a list of Linters that can be enabled in the future.
Create issues for each linter.

Ex4amp1e commented 2 months ago

Current set of CVE issues:

https://github.com/networkservicemesh/deployments-k8s/security/code-scanning/25814 - alpine ghcr.io/networkservicemesh/ci/cmd-forwarder-ovs:9ba4d40 - reproduced, but already fixed in the latest alpine image, no fix required
https://github.com/networkservicemesh/deployments-k8s/security/code-scanning/25813 - alpine ghcr.io/networkservicemesh/ci/cmd-forwarder-ovs:9ba4d40 - reproduced, but already fixed in the latest alpine image, no fix required
https://github.com/networkservicemesh/deployments-k8s/security/code-scanning/25812 - alpine ghcr.io/networkservicemesh/ci/cmd-forwarder-ovs:9ba4d40 - reproduced, but already fixed in the latest alpine image, no fix required
https://github.com/networkservicemesh/deployments-k8s/security/code-scanning/25802 - alpine - part of cmd repos - need more investigation
https://github.com/networkservicemesh/deployments-k8s/security/code-scanning/25662 - spire agent - fix required, need to use spire version >= 1.10.2 (current latest 1.10.3 - we will use it) ghcr.io/networkservicemesh/ci/cmd-nsc-simple-docker:393f898 + ghcr.io/networkservicemesh/ci/cmd-nse-simple-vl3-docker:97c8bdc
https://github.com/networkservicemesh/deployments-k8s/security/code-scanning/25349 - go upgrade - all cmd repos - fix provided https://github.com/networkservicemesh/cmd-template/pull/136 + manual upgrades where it is required