Open anshulgangrade opened 1 month ago
I haven't checked recently, but that's an ancient image. Please try against the latest builds.
Please find attached the newer image vulnerability. Attached is the image used by timescale/timescaledb-single chart 0.33.1 version timescale_timescaledb-ha_pg14.6-ts2.9.1-p1.pdf
@graveland Any updates?
That image was built approximately a year ago. For this repository, the latest right now is pg14.12-ts2.15.2
. Please note the repository you're talking about has this notice: This project is no longer maintained.
Thanks @graveland for your comments. I did a scan on pg14.12-ts2.15.2 as well. timescale_timescaledb-ha_pg14.12-ts2.15.2.pdf
4 highs are present in this one. Since this project is no longer maintained, so there would be no efforts to remediate ?
The vulnerabilities reported in that report are all in packages installed via apt-get, so fixes for them depend on when the fixes arrive upstream. The images are rebuilt every week, so if you want to keep up with the latest fixes, pulling and restarting database servers regularly is recommended.
The vulnerabilities listed against mysql for example are mostly addressed in https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.37-0ubuntu0.24.04.1, which means it should hopefully be available soon.
This project is actively maintained, it's the helm charts that aren't. You'll have to update your own image tag to point to whichever -ha image you want to run.
Name and Version timescale/timescaledb-ha:pg14.5-ts2.8.0-p1
What steps will reproduce the bug? Posting it here as i could not report the security vulnerability as an issue due to the policy.
We are running trivy scan to find out vulnerabilities in timescaledb container. We see many CVE's reported on Ubuntu as below. Please suggest how to fix it?
.\trivy image --format template --template "@contrib/html.tpl" -o timescale_report.html timescale/timescaledb-ha:pg14.5-ts2.8.0-p1 --ignore-unfixed
What is the expected behavior?
$ trivy image timescale/timescaledb-ha:pg14.5-ts2.8.0-p1 --ignore-unfixed
Attached is the report in pdf. Expected behavior is to have 0 vulnerability. timescale_timescaledb-ha_pg14.5-ts2.8.0-p1.pdfAdditional information how to remediate the CVEs reported