search

zalando-incubator / kube-metrics-adapter

General purpose metrics adapter for Kubernetes HPA metrics
MIT License
534 stars 112 forks source link

High and Critical vulnerabilities packaged in the container detected by Docker Scout #758

Open jamescjchan opened 1 month ago

jamescjchan commented 1 month ago

Expected Behavior

No high or critical vulnerabilities

Actual Behavior

The version of the openssl 3.3.0-r2 is determined with critical and high vulnerabilities CVE-2024-5535 CVE-2024-6119 The version of the stdlib 1.22.4 is determined with multiple high vulnerabilities CVE-2024-34158 CVE-2024-34156 CVE-2024-24791 CVE-2022-30635 image

Steps to Reproduce the Problem

  1. docker pull ghcr.io/zalando-incubator/kube-metrics-adapter:v0.2.3
  2. open docker desktop and navigate to the image pulled in the first step

The openssl might be resolved if the builder pulls the latest alpine:3.20 base image again. However, stdlib is resolved during the build.

Specifications