Note: The same system-agent tag will be used in all three release lines.
Changes:
bump Go version to 1.22 and kube-related modules to v0.29.7 to eliminate CVEs
Below is the scan result of the image build from this PR. Note that those two non-critical CVEs are from rancher/client-go whose latest tag is v1.29.3-rancher1
> trivy image rancher/system-agent:dev-suc
2024-08-06T11:31:39-07:00 INFO [db] Need to update DB
2024-08-06T11:31:39-07:00 INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
50.94 MiB / 50.94 MiB [--------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 29.66 MiB p/s 1.9s
2024-08-06T11:31:42-07:00 INFO [vuln] Vulnerability scanning is enabled
2024-08-06T11:31:42-07:00 INFO [secret] Secret scanning is enabled
2024-08-06T11:31:42-07:00 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-06T11:31:42-07:00 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-06T11:31:44-07:00 INFO Detected OS family="alpine" version="3.18.8"
2024-08-06T11:31:44-07:00 INFO [alpine] Detecting vulnerabilities... os_version="3.18" repository="3.18" pkg_num=15
2024-08-06T11:31:44-07:00 INFO Number of language-specific files num=2
2024-08-06T11:31:44-07:00 INFO [gobinary] Detecting vulnerabilities...
rancher/system-agent:dev-suc (alpine 3.18.8)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
opt/rancher-system-agent-suc/rancher-system-agent (gobinary)
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌───────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2024-5321 │ MEDIUM │ fixed │ v1.29.3 │ 1.27.16, 1.28.12, 1.29.7, 1.30.3 │ kubelet: Incorrect permissions on Windows containers logs │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-5321 │
│ ├───────────────┼──────────┤ │ ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ │ CVE-2024-3177 │ LOW │ │ │ 1.27.13, 1.29.4, 1.28.9 │ kubernetes: kube-apiserver: bypassing mountable secrets │
│ │ │ │ │ │ │ policy imposed by the ServiceAccount admission plugin... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-3177 │
└───────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘
Issues:
https://github.com/rancher/rancher/issues/46526 https://github.com/rancher/rancher/issues/46529 https://github.com/rancher/rancher/issues/46530
https://github.com/rancher/rancher/issues/46531 https://github.com/rancher/rancher/issues/46527 https://github.com/rancher/rancher/issues/46532
Note: The same system-agent tag will be used in all three release lines.
Changes:
bump Go version to 1.22 and kube-related modules to v0.29.7 to eliminate CVEs
Below is the scan result of the image build from this PR. Note that those two non-critical CVEs are from rancher/client-go whose latest tag is v1.29.3-rancher1