search

tomkerkhove / promitor

Bringing Azure Monitor metrics where you need them.
https://promitor.io
MIT License
249 stars 91 forks source link

artifacthub.io lists 6 critical/high security vulnerabilities for scrapper and resource discovery #1809

Closed ponson-thankavel closed 2 years ago

ponson-thankavel commented 2 years ago

Report

I use promitor charts from artifacthub.io promiter-agent-resource-discovery promitor-agent-scraper

I observed 3 critical & 3 severe security vulnerabilities reported in artifacthub.io for the recent helm packages.

Affected versions: promitor-agent-resource-discovery - 0.4.1+ promitor-agent-scraper - 2.4.1+

List of Vulnerabilities https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3711 https://github.com/freebsd/freebsd-src/commits/main/lib/libfetch https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36222 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3712

Is this being looked into?

Vulnerability Information

MITRE

Affected Component(s)

Resource Discovery, Scraper

Affected Version(s)

0.4.1+, 2.4.1+

Vulnerability Migitation

No response

Vulnerability Fix

I think this requires upgrading base image that contains the required library fixes (or) upgrade the libraries in Dockerfile. I haven't tried this though

Contact Details

mailtoponson@yahoo.co.in

tomkerkhove commented 2 years ago

Thanks for reporting! This is indeed in the base image so will see how I can improve it.

tomkerkhove commented 2 years ago

This has now been resolved and passes scanning in Snyk: image

Sorry for this, it looks like the automated patching was stuck (#1690) and took some new measures:

I will release a new version soon.

ponson-thankavel commented 2 years ago

thank you @tomkerkhove... thrilled by the quick response.... :) Looking forward for the new version...

tomkerkhove commented 2 years ago

It's the least I could do for this oversight - Sorry and thanks for reporting!

Are you using Promitor in production? I'd be happy to list you as an end-user.

tomkerkhove commented 2 years ago

They are now available on https://github.com/promitor/charts/releases

ponson-thankavel commented 2 years ago

Are you using Promitor in production? I'd be happy to list you as an end-user.

Not yet. we are evaluating. :)

tomkerkhove commented 2 years ago

Cool, thanks. Feel free to let me know if you have any questions.