search

open-policy-agent / kube-mgmt

Sidecar for managing OPA instances in Kubernetes.
Apache License 2.0
239 stars 106 forks source link

helm: openpolicyagent/opa image is outdated and has a critical vulnerability #177

Closed elchenberg closed 1 year ago

elchenberg commented 1 year ago

According to Trivy the opa binary in the image openpolicyagent/opa:0.45.0 has a critical vulnerability:

# trivy image --security-checks vuln --severity CRITICAL openpolicyagent/opa:0.45.0
2022-12-13T13:01:47.866+0100    INFO    Vulnerability scanning is enabled
2022-12-13T13:01:49.175+0100    INFO    Detected OS: debian
2022-12-13T13:01:49.175+0100    INFO    Detecting Debian vulnerabilities...
2022-12-13T13:01:49.178+0100    INFO    Number of language-specific files: 1
2022-12-13T13:01:49.178+0100    INFO    Detecting gobinary vulnerabilities...

openpolicyagent/opa:0.45.0 (debian 11.5)

Total: 0 (CRITICAL: 0)

opa (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────────────────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────┐
│                 Library                 │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                   Title                    │
├─────────────────────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────┤
│ github.com/bytecodealliance/wasmtime-go │ CVE-2022-39394 │ CRITICAL │ v1.0.0            │               │ Out-of-bounds Write                        │
│                                         │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-39394 │
└─────────────────────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────┘

Version 0.47.3 does not seem to have any known critical vulnerabilities:

# trivy image --security-checks vuln --severity CRITICAL openpolicyagent/opa:0.47.3
2022-12-13T13:04:43.488+0100    INFO    Vulnerability scanning is enabled
2022-12-13T13:04:44.741+0100    INFO    Detected OS: debian
2022-12-13T13:04:44.741+0100    INFO    Detecting Debian vulnerabilities...
2022-12-13T13:04:44.755+0100    INFO    Number of language-specific files: 1
2022-12-13T13:04:44.755+0100    INFO    Detecting gobinary vulnerabilities...

openpolicyagent/opa:0.47.3 (debian 11.5)

Total: 0 (CRITICAL: 0)