Possible shortcoming in KIALI-SECURITY-001 detection script

[cpick]

Describe the bug

The detection section of the KIALI-SECURITY-001 bulletin includes the following script:

[ ${VERSION_ENTRIES[0]} -le "1" ] && [ ${VERSION_ENTRIES[1]} -le "15" ] && [ ${VERSION_ENTRIES[2]} -le "0" ] && echo "Your Kiali version is vulnerable"

This will print "Your Kiali version is vulnerable" if the version is >= 1.0.0 && <= 1.15.0, but not if the major version is 0.X.Y.

Versions used
Kiali: < v1

To Reproduce
Steps to reproduce the behavior:

1. Install an old Kiali (eg v0.20)
2. Run the detection script from the bulletin

Expected behavior
I believe it should print "Your Kiali version is vulnerable" but it does not.
I could be mistaken if the vulnerability was only introduced in v1 and isn't present in v0.

[lucasponce]

Side question, in which scenarios are Kiali v0.20 being used ?
The Kiali 0.x was a preliminary release and we would like to help potential users to bump into a newer one.

[jshaughn]

Thanks @cpick. I guess we just didn't think anyone would be running V0.x as it is long out of support for Kiali and not associated with any supported version of Istio, But we can update the script.

[cpick]

@lucasponce I don't know of a good reason why it would still be used, but ancient versions of all software find ways to live on :(

I do think it's useful to have more ways to point out that running an old/unsupported version is a bad idea. Having checks like these properly flag them as vulnerable helps make that case. (I don't get the sense that anyone disagrees with this idea, just putting down my thinking.)