search

zegl / kube-score

Kubernetes object analysis with recommendations for improved reliability and security. kube-score actively prevents downtime and bugs in your Kubernetes YAML and Charts. Static code analysis for Kubernetes.
https://kube-score.com
MIT License
2.72k stars 174 forks source link

One high-risk vulnerability in kube-score executable #436

Closed log2 closed 2 years ago

log2 commented 2 years ago

Which version of kube-score are you using?

kube-score version: 1.14.0

What did you do?

[ Tested on a Linux amd64 system - Also tried on macOS Intel system, but trivy seems to not detect the issues there ]

After retrieving dependencies, I have launched trivy (0.18.3) on project's root directory:

$ trivy fs .
2022-02-18T13:46:15.759Z     INFO     Detected OS: unknown
2022-02-18T13:46:15.761Z     INFO     Number of PL dependency files: 1
2022-02-18T13:46:15.761Z     INFO     Detecting gomod vulnerabilities...

go.sum
======
Total: 2 (UNKNOWN: 1, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION         |           FIXED VERSION            |                 TITLE                 |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652   | HIGH     | 0.0.0-20200622213623-75b288015ac9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
|                     |                  |          |                                   |                                    | authentication request can            |
|                     |                  |          |                                   |                                    | lead to nil pointer dereference       |
|                     |                  |          |                                   |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/text   | CVE-2021-38561   | UNKNOWN  | 0.3.6                             | 0.3.7                              | -->avd.aquasec.com/nvd/cve-2021-38561 |
+---------------------+------------------+----------+-----------------------------------+------------------------------------+---------------------------------------+

What did you expect to see?

I'd like to see no CRITICAL or HIGH vulnerabilities ("expecting" seems just too much, in my opinion, but a low vulnerability count in high risk areas is nice to have, in my opinion).

What did you see instead?

Two vulnerabilities are detected:

zegl commented 2 years ago

Thanks for taking your time to both scanning and submitting a PR! Thankfully it doesn't look like kube-score was affected by any of these CVEs, still very much worth fixing tough!

Thanks again! 🥇