Open QuanZhang-William opened 1 year ago
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen
with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
/remove-lifecycle stale /lifecycle frozen this we might revisit in future
In TEP-0115, we selected 5 resources to be supported at
Verified
support tier, where the @tektoncd/catalog-maintainers are expected to patch the detected CVEs.In TEP-0079, we have proposed to use the Artifact Hub Scanner service (which uses Trivy) to generate vulnerability reports and displayed on the Artifact Hub.
Here is the list of resources (and the underlying images) that will be serviced at
Verified
tier:gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.18.1
gcr.io/tekton-releases/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2
gcr.io/kaniko-project/executor:v1.5.1@sha256:c6166717f7fe0b7da44908c986137ecfeab21f31ec3992f6e128fff8a94be8a5
docker.io/library/bash:5.1.4@sha256:c523c636b722339f41b6a431b44588ab2f762c5de5ec3bd7964420ff982fb1d9
docker.io/library/golang:latest
The security reports for the above resources currently contains a bunch of CVEs, which should be addressed before we can claim these are the
Verified Catalogs
.We can create separate issues to track the progress for each resource.
Steps to Reproduce the Problem
The Artifact Hub uses Trivy to scan the container images, you can get the same security report by running Trivy locally:
trivy image [container image name]
@tektoncd/catalog-maintainers