yannh
commented
6 months ago Updated to the latest Go version supported by goreleaser (1.22.1), release coming up. Could you point me to the issues you're referencing?
Closed bobrasey-verusen closed 6 months ago
yannh
commented
6 months ago Updated to the latest Go version supported by goreleaser (1.22.1), release coming up. Could you point me to the issues you're referencing?
bobrasey-verusen
commented
6 months ago Sure, I have a view via AWS Inspector since I'm putting my images in ECR and there's a lot of good summary info there that I can't provide you a link to. But I can send you some of the upstream links - they're harder to read but hopefully can provide you with some context.
CVE-2023-44487 - golang.org/x/net, google.golang.org/grpc and 1 more GHSA-m425-mq94-257g - google.golang.org/grpc CVE-2022-41723 - golang.org/x/net CVE-2023-39325 - golang.org/x/net, golang.org/x/net
Summing up the remediation steps, this should clear these:
These are all the HIGH findings associated with golang that I see. Also, I am modifying your kubeconform image a tiny bit, but I don't think that would affect these findings.
Let me know if there's anything else I can do to help.
bobrasey-verusen
commented
6 months ago Also, let me put in a plug for Snyk here, they have a limited-use free license and it's a fantastic tool for stuff like this. Here's a sample finding for this use case:
yannh
commented
6 months ago Fun fact, I believe the original Kubeval author now actually works at Snyk :) I'm not very familiar with their free tier. How would you suggest configuring this though - failing a build if there are vulnerabilities? Running it periodically on master? Running it periodically on all published images? :thinking: I can imagine it would be quite useful to run this on the versions you are actually using, but I'd love your advice on its usage in the toolchain.
yannh
commented
6 months ago Tagged v0.6.5 btw, hope it fixes the issues.
bobrasey-verusen
commented
6 months ago I haven't scanned containers in a pipeline using Snyk, but it's apparently doable. Now you have me thinking about doing this for my stuff...
bobrasey-verusen
commented
6 months ago I didn't really answer your question... I am currently only security scanning container images once they are pushed to a repo. In practice this is fine, we have tooling that surfaces vulnerabilities to us and we respond within an SLA based on severity. Scanning in the pipeline would catch things sooner, which is why I'm considering it now, but honestly what we have is working Good Enough.
The limitation you'll run into with Snyk is how many times you can run a type of test when using the free tier. Looks like it's 100 container tests per month, so maybe that's enough for you?
bobrasey-verusen
commented
6 months ago Also, TIL kubeval was started by Gareth Rushgrove! I had no idea.
We build a container image based on this project, and AWS Inspector is showing quite a few HIGH findings, all centered around golang generally, and many of them involving
netandgrpcspecifically. Seems like bumping golang version and imports is due.