-
Notifications
You must be signed in to change notification settings - Fork 251
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security scan issues #2477
Comments
I suspect most of these will be fixed by upgrading Quarkus, which we should be doing shortly. CC @carlesarnal |
What about this one? Found on:
|
@EricWittmann @carlesarnal any update on this findings? |
We are in the process of integrating security scanning into our normal process. @andreaTP thoughts? |
I see two kind of issues reported here:
Before the next release we can:
|
I agree with one caveat - when we productize registry we'll need to align to a RHBoQ (Red Hat Build of Quarkus). So we need to make sure we align upstream to the right version. |
For
|
@tomasAlabes can you share which code-scanning tool are you using? |
Sorry, I was completely sure I answered this. This vulnerability in particular was found by Anchore. But we use several scanning tools. |
It was found by Anchore (I don't have more info than that).
…------- Original Message -------
On Wednesday, August 17th, 2022 at 15:01, Andrea Peruffo ***@***.***> wrote:
***@***.***(https://github.com/tomasAlabes) can you share which code-scanning tool are you using?
—
Reply to this email directly, [view it on GitHub](#2477 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AAFKYKH3YI5PSGYYK4ISJX3VZTPDPANCNFSM5U3ZXYMQ).
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Found security issues in
@andreaTP, is there a plan to tackle these? |
We released 2.4.0.Final recently (the container images failed to build but we are correcting that soon). These security issues should be addressed in that version. Most of them are inherited from Quarkus, which we have upgraded in the latest version. |
Still seeing vulnerabilities in
|
Hi @EricWittmann, this is the number 1 reason why we're planning to drop Apicurio. Security should be a priority. |
I was working on this today actually. We struggle with this because we inherit a lot of our CVEs from Quarkus and our Docker base image. I've upgraded Quarkus to a newer patch version, which has resolved some of the CVEs. We can't always easily upgrade to the latest Quarkus minor release due to productization processes at Red Hat. We'll keep working on getting better at this. Your criticism is fair. |
We're doing a much better job on this now as can be seen in our security scanning both on GH and on Quay. Also, thanks to the introduction of LTS versions in Quarku we're in a much better position for the future as well. Closing this as the result. |
Those security issues found while scanning 2.2.3.Final
The text was updated successfully, but these errors were encountered: