A lot of security issues found via vulnerability scanning on Google Cloud related to Go #236
Comments
|
Hi @gboston through what mechanism are you using buildpacks? |
Using gcloud run deploy |
|
Hey @gboston just a quick update. @matthewrobertson did a bit more digging and we think we found the root cause. It looks like the builder was using an outdated version of the |
|
Re-tested this on the go sample app using Cloud Build and the vulnerability scanner and we're showing less CVEs. The two CVEs mentioned are no longer present and we are reporting no Critical/Highs
Something noteworthy here is that the scan indicates that there are 20 available "Fixes". Sampling around some of the CVEs i see a few notable themes:
For now, I think we've addressed some of the most urgent vuln issues. The team is still planning to investigate how to make sure "fixable" CVEs are included in future builds. WIll leave this issue open for now and keep a running update |
|
Some quick updates for ya'll. We're in the early phases of releasing our Ubuntu 22 builder, which is both smaller and addresses some of the "fixable" CVEs we talked about in this issue. You can give it a spin by using the You can see some of the results in my testing:
|
When building the image via Buildpacks on Google cloud and pushing it to the artifact registry for scanning, a lot of security issues are detected. I'm assuming these are related to the base image ubuntu 18.04. Is there a way to enforce the latest image, to prevent these security issues?
Issues at the moment: CVE-2021-38297, CVE-2022-23806. These issues are already fixed so I would assume these can easily be handled with a new base image?
The text was updated successfully, but these errors were encountered: