Closed wedaly closed 11 months ago
@wedaly Thanks for reporting this. I noticed that the Calico version is old (3.24), as mentioned in https://github.com/projectcalico/calico/issues/8050#issuecomment-1745350468 both the latest patches of 3.25 and 3.26 are using UBI 8.8. We strongly encourage everyone to use the latest release to get the security updates.
Expected Behavior
Some security scanners like trivy rely on deb/rpm package metadata. Images built from registry.access.redhat.com/ubi8/ubi-minimal should copy the RPM package metadata so security scanners report accurate results.
Current Behavior
The Calico images do not copy RPM metadata from the base image, so some security scanners do not accurately report CVEs.
Possible Solution
This is how distroless-iptables copies the deb pkg metadata: https://github.com/kubernetes/release/blob/dbe1d9b0f7828726d69faacb2da4a832b66803c4/images/build/distroless-iptables/distroless/package-utils.sh#L45-L54
Suggest that Calico does something similar for RPM packages.
Steps to Reproduce (for bugs)
The second command should report the vulnerabilities from the base image, but it currently doesn't.
Context
AKS has gotten reports from customers about CVEs in Calico images that do not appear in trivy results.
I believe the same issue occurs for the tigera/operator image.
Your Environment