search

riok / Kreya

Kreya is a GUI client for gRPC and REST APIs with innovative features for environments, authorizations and more.
https://kreya.app
279 stars 5 forks source link

Docker image critical vulnerability #218

Open mfridrikhson opened 2 months ago

mfridrikhson commented 2 months ago

Describe the bug Our AWS ECR scan showed that Kreya image has a critical vulnerability related to zlib package. No new packages were added to the original Kreya image on our side. Could you please look into that and update your base image to fix this? Thanks in advance.

To Reproduce I wasn't able to get the same output as ECR by using docker scout, however it still displays at least one high vulnerability on the latest image. Run docker scout cves riok/kreyac:latest to see.

Expected behavior The image has no critical vulnerabilities.

Screenshots image

Environment (if possible, copy the information from the error dialog or the About menu):

CommonGuy commented 2 months ago

Apparently, the CRITICAL CVE for zlib:1:1.2.13.dfsg-1 is a false positive: https://github.com/madler/zlib/pull/843#issuecomment-2050417533.

As for the Dockerfile, we aren't doing much in there. We depend on mcr.microsoft.com/dotnet/runtime-deps:8.0 (since Kreya is programmed in .NET) and basically just copy the compiled kreyac file into the image.

This means we have to wait until either the CVE is flagged as false positive or our base image resolves the CVEs.

mfridrikhson commented 2 months ago

@CommonGuy I see, thanks a lot for the information, that's good to know. It's definitely not a big deal for us, but just wanted to raise awareness.

superlazyname commented 1 month ago

@CommonGuy unfortunately that false positive might be around for a year or more, I put a writeup about it here https://github.com/madler/zlib/pull/843#issuecomment-2130408505

CommonGuy commented 1 month ago

@superlazyname Thanks for the writeup!