crictl flagged for vulerabilities #1285
Comments
yehiyam
added
kind/bug
|
I would also like to know when the next release will be! |
|
Usually the next version would be released with Kubernetes v1.29 in December. While the packages are vulnerable, are we sure that we're affected by those vulnerabilities? |
|
@saschagrunert I do not know if we are affected. |
|
I don't think we are. Can you confirm @kwilczynski? |
|
@yehiyam @saschagrunert, the scanners would pick the following most likely:
Some of these reported vulnerabilities are against dependencies that aren't our direct dependencies. Some used to be direct but eventually moved as we upgraded other dependencies, for example: From the above (an excerpt from the larger changeset): @@ -18,8 +18,8 @@ require (
github.com/sirupsen/logrus v1.8.1
github.com/urfave/cli/v2 v2.4.0
golang.org/x/net v0.0.0-20211209124913-491a49abca63
- golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e
- google.golang.org/grpc v1.45.0
+ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
+ google.golang.org/grpc v1.45.0 // indirect
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
k8s.io/api v0.23.1
k8s.io/apimachinery v0.23.1Currently: $ go mod why google.golang.org/grpc github.com/cyphar/filepath-securejoin go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
# google.golang.org/grpc
github.com/kubernetes-sigs/cri-tools/cmd/crictl
k8s.io/cri-api/pkg/apis/runtime/v1
google.golang.org/grpc
# github.com/cyphar/filepath-securejoin
github.com/kubernetes-sigs/cri-tools/pkg/validate
github.com/opencontainers/runc/libcontainer/apparmor
github.com/opencontainers/runc/libcontainer/utils
github.com/cyphar/filepath-securejoin
# go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
github.com/kubernetes-sigs/cri-tools/cmd/crictl
k8s.io/kubernetes/pkg/kubelet/cri/remote
k8s.io/component-base/tracing
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttpWe are also not exposing any listeners of QUIC, HTTP/2, gRPC, etc., where most of the recent vulnerabilities were mainly exposed. Yes, it would be nice to keep the dependencies up-to-date as soon as there are issues, but when nothing is affecting us directly within the immediate code base or some crucial dependency, then deferring upgrades is an option, too. We will upgrade the Go version and the dependencies soon, just before another release, as @saschagrunert said. @yehiyam, are you having issues with your security scanners? Some compliance problems? Because of our outdated dependencies? |
|
@kwilczynski |
I thought you would. Sorry about that!
None of these affect cri-tools at the moment. Even though it might look like it - this is mainly due to scanners seeing dependencies, which in our case are indirect and/or transitive, as we do not have any servers or listeners in a primarily command-line client utility. You can put your security team at ease about the reports. That said, I am not sure when there will be a new release of cri-tools - unless @saschagrunert deems that it might be prudent to make one in order to bring more up-to-date dependencies. |
|
@kwilczynski / @saschagrunert : I vote +1 on @yehiyam to publish a new release just to bump up the dependencies |
|
@tshaiman, with people back from KubeCon, I am sure that work on the new release will move forward. 😄 |
|
@tshaiman we're cutting Kubernetes v1.29.0 in 3 weeks, can we wait for that considering that the code actually not affected? |
|
Sure @saschagrunert |
|
@saschagrunert seems the 1.129 release didn't take care for CVE-2023-47108 |
|
@Yoni-Mantzur we're not affected by this CVE, because:
|
|
@saschagrunert, same here. This probably can be closed. There is nothing for us to immediately do here. I suppose. |
What happened:
crictl executable is flagged for vulnerabilities in Go packages:
What you expected to happen:
What is the schedule for the next release?
The text was updated successfully, but these errors were encountered: