Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deps: Bump alpine to 3.16 in builder and final image and multiple golang dependencies due to found CVEs #448

Merged
merged 1 commit into from
Dec 16, 2022
Merged

deps: Bump alpine to 3.16 in builder and final image and multiple golang dependencies due to found CVEs #448

merged 1 commit into from
Dec 16, 2022

Conversation

gmaiorov
Copy link
Contributor

@gmaiorov gmaiorov commented Dec 16, 2022
edited

Overview

This PR bumps alpine to 3.16 in builder and final image as well as multiple golang dependencies.

What this PR does / why we need it

This PR addresses CVEs found in shell-operator image: 
gleb@ic-flant:~/Projects/deckhouse$ bin/trivy i flant/shell-operator:v1.1.2
2022-12-16T16:14:53.949+0300    INFO    Detected OS: alpine
2022-12-16T16:14:53.949+0300    INFO    Detecting Alpine vulnerabilities...
2022-12-16T16:14:53.952+0300    INFO    Number of language-specific files: 1
2022-12-16T16:14:53.952+0300    INFO    Detecting gobinary vulnerabilities...

flant/shell-operator:v1.1.2 (alpine 3.15.4)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 1)

┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                            Title                            │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1 │ CVE-2022-2097  │ MEDIUM   │ 1.1.1n-r0         │ 1.1.1q-r0     │ openssl: AES OCB fails to encrypt some bytes                │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
├──────────────┤                │          │                   │               │                                                             │
│ libssl1.1    │                │          │                   │               │                                                             │
│              │                │          │                   │               │                                                             │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib         │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r0         │ 1.2.12-r2     │ zlib: heap-based buffer over-read and overflow in inflate() │
│              │                │          │                   │               │ in inflate.c via a...                                       │
│              │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
└──────────────┴────────────────┴──────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘

shell-operator (gobinary)

Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 2, CRITICAL: 0)

┌─────────────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                            Title                             │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ go.mongodb.org/mongo-driver │ CVE-2021-20329 │ MEDIUM   │ v1.3.4                             │ 1.5.1                             │ mongo-go-driver: specific cstrings input may not be properly │
│                             │                │          │                                    │                                   │ validated                                                    │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2021-20329                   │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net            │ CVE-2022-27664 │ HIGH     │ v0.0.0-20220722155237-a158d28d115b │ 0.0.0-20220906165146-f3363e06e74c │ golang: net/http: handle server errors after sending GOAWAY  │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27664                   │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net            │ CVE-2022-41717 │ MEDIUM   │ v0.0.0-20220722155237-a158d28d115b │ 0.4.0                             │ An attacker can cause excessive memory growth in a Go server │
│                             │                │          │                                    │                                   │ accepting...                                                 │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-41717                   │
├─────────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text           │ CVE-2022-32149 │ HIGH     │ v0.3.7                             │ 0.3.8                             │ golang: golang.org/x/text/language: ParseAcceptLanguage      │
│                             │                │          │                                    │                                   │ takes a long time to parse complex tags                      │
│                             │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-32149                   │
└─────────────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴──────────────────────────────────────────────────────────────┘

Special notes for your reviewer

Does this PR introduce a user-facing change?

@gmaiorov gmaiorov added dependencies Pull requests that update a dependency file docker Pull requests that update Docker code labels Dec 16, 2022
@gmaiorov gmaiorov self-assigned this Dec 16, 2022
@gmaiorov gmaiorov changed the title deps: Bump alpine to 3.16.3 in builder and final image and multiple golang dependencies due to found CVEs deps: Bump alpine to 3.16 in builder and final image and multiple golang dependencies due to found CVEs Dec 16, 2022
diafour
diafour approved these changes Dec 16, 2022
View reviewed changes
Copy link
Contributor

@diafour diafour left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great!

@diafour diafour added run/tests Run tests on full matrix of k8s versions publish/image/dev/amd64 Build and push dev image using PR number as docker tag labels Dec 16, 2022
@github-actions github-actions bot removed run/tests Run tests on full matrix of k8s versions publish/image/dev/amd64 Build and push dev image using PR number as docker tag labels Dec 16, 2022
@diafour diafour added the run/tests Run tests on full matrix of k8s versions label Dec 16, 2022
@github-actions github-actions bot removed the run/tests Run tests on full matrix of k8s versions label Dec 16, 2022
deps: Bump alpine to 3.16.3 in builder and final image and multiple g…
b983e62 
…olang dependencies due to found CVEs

Signed-off-by: Gleb Maiorov <gleb.maiorov@flant.com>
@gmaiorov gmaiorov added publish/image/dev Build and push dev image using PR number as docker tag run/tests Run tests on full matrix of k8s versions labels Dec 16, 2022
@github-actions github-actions bot removed run/tests Run tests on full matrix of k8s versions publish/image/dev Build and push dev image using PR number as docker tag labels Dec 16, 2022
@diafour diafour added the publish/image/dev/amd64 Build and push dev image using PR number as docker tag label Dec 16, 2022
@github-actions github-actions bot removed the publish/image/dev/amd64 Build and push dev image using PR number as docker tag label Dec 16, 2022
@diafour diafour merged commit b2323c5 into main Dec 16, 2022
@diafour diafour added this to the 1.1.3 milestone Feb 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@diafour diafour diafour approved these changes

Assignees

@gmaiorov gmaiorov

Labels
dependencies Pull requests that update a dependency file docker Pull requests that update Docker code
Projects
None yet
Milestone
1.1.3
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@gmaiorov @diafour