Report the use of components with vulnerabilities in telepresence

[HouqiyuA]

Dear Team Members: Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.

Qiyu Hou

telepresence-release-v2_report.json

[thallgren]

Thanks for doing this. Security scans are always very welcom. Let me comment briefly on the list of components.

CVE-2021-46873 is not relevant to Telepresence Telepresence uses wireguard for its VIF (the Virtual Network Interface). It exposes TCP and UDP. Never NTP. Even if we did, it would be harmless unless the Telepresence user disables their firewall and exposes the VIF externally.

CVE-2019-25210 is not relevant to Telepresence Telepresence embeds Helm, and exposes a selected set of flags. The --dry-run flag is however not one of them.

CVE-2020-8561 - is not relevant to Telepresence Telepresence does not expose any mechanism to configure Kubernetes logging.

[thallgren]

Closing this ticket because Telepresence isn't affected by any of those CVEs