Reporting vulnerability in timescale/timescaledb-ha

timescale / timescaledb-docker-ha

Create Docker images containing TimescaleDB, Patroni to be used by developers and Kubernetes.

Apache License 2.0

143 stars 38 forks source link

Reporting vulnerability in timescale/timescaledb-ha #463

Open anshulgangrade opened 1 month ago

anshulgangrade commented 1 month ago

Name and Version timescale/timescaledb-ha:pg14.5-ts2.8.0-p1

What steps will reproduce the bug? Posting it here as i could not report the security vulnerability as an issue due to the policy.

We are running trivy scan to find out vulnerabilities in timescaledb container. We see many CVE's reported on Ubuntu as below. Please suggest how to fix it?

.\trivy image --format template --template "@contrib/html.tpl" -o timescale_report.html timescale/timescaledb-ha:pg14.5-ts2.8.0-p1 --ignore-unfixed

What is the expected behavior? $ trivy image timescale/timescaledb-ha:pg14.5-ts2.8.0-p1 --ignore-unfixed Attached is the report in pdf. Expected behavior is to have 0 vulnerability. timescale_timescaledb-ha_pg14.5-ts2.8.0-p1.pdf

Additional information how to remediate the CVEs reported

graveland commented 1 month ago

I haven't checked recently, but that's an ancient image. Please try against the latest builds.

anshulgangrade commented 4 weeks ago

Please find attached the newer image vulnerability. Attached is the image used by timescale/timescaledb-single chart 0.33.1 version timescale_timescaledb-ha_pg14.6-ts2.9.1-p1.pdf

anshulgangrade commented 3 weeks ago

@graveland Any updates?

graveland commented 3 weeks ago

That image was built approximately a year ago. For this repository, the latest right now is pg14.12-ts2.15.2. Please note the repository you're talking about has this notice: This project is no longer maintained.

anshulgangrade commented 2 weeks ago

Thanks @graveland for your comments. I did a scan on pg14.12-ts2.15.2 as well. timescale_timescaledb-ha_pg14.12-ts2.15.2.pdf

4 highs are present in this one. Since this project is no longer maintained, so there would be no efforts to remediate ?

graveland commented 2 weeks ago

The vulnerabilities reported in that report are all in packages installed via apt-get, so fixes for them depend on when the fixes arrive upstream. The images are rebuilt every week, so if you want to keep up with the latest fixes, pulling and restarting database servers regularly is recommended.

The vulnerabilities listed against mysql for example are mostly addressed in https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.37-0ubuntu0.24.04.1, which means it should hopefully be available soon.

graveland commented 2 weeks ago

This project is actively maintained, it's the helm charts that aren't. You'll have to update your own image tag to point to whichever -ha image you want to run.