the image has many vulnerabilities scanned by trivy

[stoneshi-yunify]

root@test-ap1:~# trivy image k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2
2022-05-24T11:27:32.291+0800	INFO	Need to update DB
2022-05-24T11:27:32.291+0800	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2022-05-24T11:27:32.291+0800	INFO	Downloading DB...
31.94 MiB / 31.94 MiB [-----------------------------------------------------------------------------------------------------] 100.00% 1.09 MiB p/s 29s
2022-05-24T11:28:09.870+0800	INFO	Detected OS: debian
2022-05-24T11:28:09.870+0800	INFO	Detecting Debian vulnerabilities...
2022-05-24T11:28:09.870+0800	INFO	Number of language-specific files: 1
2022-05-24T11:28:09.871+0800	INFO	Detecting gobinary vulnerabilities...

k8s.gcr.io/sig-storage/nfs-subdir-external-provisioner:v4.0.2 (debian 9.13)

Total: 2 (UNKNOWN: 2, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

┌─────────┬───────────────┬──────────┬───────────────────┬────────────────┬────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version  │             Title              │
├─────────┼───────────────┼──────────┼───────────────────┼────────────────┼────────────────────────────────┤
│ tzdata  │ DLA-2797-1    │ UNKNOWN  │ 2021a-0+deb9u1    │ 2021a-0+deb9u2 │ tzdata - new upstream version  │
│         ├───────────────┤          │                   ├────────────────┼────────────────────────────────┤
│         │ DLA-2963-1    │          │                   │ 2021a-0+deb9u3 │ tzdata - new timezone database │
└─────────┴───────────────┴──────────┴───────────────────┴────────────────┴────────────────────────────────┘

nfs-subdir-external-provisioner (gobinary)

Total: 20 (UNKNOWN: 1, LOW: 2, MEDIUM: 12, HIGH: 5, CRITICAL: 0)

┌──────────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │         Installed Version          │               Fixed Version               │                            Title                             │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/gogo/protobuf │ CVE-2021-3121  │ HIGH     │ v1.3.1                             │ 1.3.2                                     │ gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain   │
│                          │                │          │                                    │                                           │ index validation                                             │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2021-3121                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/crypto      │ CVE-2022-27191 │ HIGH     │ v0.0.0-20200220183623-bac4c82f6975 │ 0.0.0-20220315160706-3147a52a75dd         │ golang: crash in a golang.org/x/crypto/ssh server            │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2022-27191                   │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/text        │ CVE-2020-14040 │ HIGH     │ v0.3.2                             │ 0.3.3                                     │ golang.org/x/text: possibility to trigger an infinite loop   │
│                          │                │          │                                    │                                           │ in encoding/unicode could lead to...                         │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-14040                   │
│                          ├────────────────┼──────────┤                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2021-38561 │ UNKNOWN  │                                    │ 0.3.7                                     │ Due to improper index calculation, an incorrectly formatted  │
│                          │                │          │                                    │                                           │ language tag can cause...                                    │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2021-38561                   │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/client-go         │ CVE-2020-8565  │ MEDIUM   │ v0.18.0                            │ 0.20.0-alpha.2                            │ kubernetes: Incomplete fix for CVE-2019-11250 allows for     │
│                          │                │          │                                    │                                           │ token leak in logs when...                                   │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8565                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8558  │ HIGH     │ v1.18.0                            │ 1.16.11, 1.17.7, 1.18.4                   │ kubernetes: node localhost services reachable via martian    │
│                          │                │          │                                    │                                           │ packets                                                      │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8558                    │
│                          ├────────────────┤          │                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2021-25741 │          │                                    │ 1.19.15, 1.20.11, 1.21.5, 1.22.2          │ kubernetes: Symlink exchange can allow host filesystem       │
│                          │                │          │                                    │                                           │ access                                                       │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2021-25741                   │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8554  │ MEDIUM   │ v1.18.0                            │                                           │ kubernetes: MITM using LoadBalancer or ExternalIPs           │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8554                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8555  │ MEDIUM   │ v1.18.0                            │ 1.15.11, 1.16.9, 1.17.5, 1.18.1           │ kubernetes: Server side request forgery (SSRF) in            │
│                          │                │          │                                    │                                           │ kube-controller-manager allows users to leak...              │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8555                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8557  │ MEDIUM   │ v1.18.0                            │ 1.16.13, 1.17.9, 1.18.6                   │ kubernetes: Node disk DOS by writing to container /etc/hosts │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8557                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8559  │ MEDIUM   │ v1.18.0                            │ 1.16.13, 1.17.9, 1.18.6                   │ kubernetes: compromised node could escalate to cluster level │
│                          │                │          │                                    │                                           │ privileges                                                   │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8559                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8561  │ MEDIUM   │ v1.18.0                            │                                           │ kubernetes: Webhook redirect in kube-apiserver               │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8561                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8563  │ MEDIUM   │ v1.18.0                            │ 1.19.3                                    │ kubernetes: Secret leaks in kube-controller-manager when     │
│                          │                │          │                                    │                                           │ using vSphere Provider                                       │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8563                    │
│                          ├────────────────┤          │                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-8564  │          │                                    │ 1.20.0-alpha.1                            │ kubernetes: Docker config secrets leaked when file is        │
│                          │                │          │                                    │                                           │ malformed and loglevel >=...                                 │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8564                    │
│                          ├────────────────┤          │                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-8565  │          │                                    │ 1.20.0-alpha.2                            │ kubernetes: Incomplete fix for CVE-2019-11250 allows for     │
│                          │                │          │                                    │                                           │ token leak in logs when...                                   │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8565                    │
│                          ├────────────────┤          │                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-8566  │          │                                    │ 1.17.13, 1.18.10, 1.19.3                  │ kubernetes: Ceph RBD adminSecrets exposed in logs when       │
│                          │                │          │                                    │                                           │ loglevel >= 4                                                │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8566                    │
│                          ├────────────────┤          │                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2021-25735 │          │                                    │ 1.18.18, 1.19.10, 1.20.6                  │ kubernetes: Validating Admission Webhook does not observe    │
│                          │                │          │                                    │                                           │ some previous fields                                         │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2021-25735                   │
│                          ├────────────────┤          │                                    ├───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2021-25737 │          │                                    │ 1.18.19, 1.19.10, 1.20.7, 1.21.1          │ kubernetes: Holes in EndpointSlice Validation Enable Host    │
│                          │                │          │                                    │                                           │ Network Hijack                                               │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2021-25737                   │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2020-8562  │ LOW      │ v1.18.0                            │ 1.21.1, 1.21.1, 1.19.11, 1.18.19, 1.18.19 │ kubernetes: Bypass of Kubernetes API Server proxy TOCTOU     │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2020-8562                    │
├──────────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes        │ CVE-2021-25740 │ LOW      │ v1.18.0                            │                                           │ kubernetes: Endpoint & EndpointSlice permissions allow       │
│                          │                │          │                                    │                                           │ cross-Namespace forwarding                                   │
│                          │                │          │                                    │                                           │ https://avd.aquasec.com/nvd/cve-2021-25740                   │
└──────────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

[xing-yang]

@humblec Can you help take a look of this?

[humblec]

Sure.. will fix this @xing-yang

[humblec]

@stoneshi-yunify can you try 4.0.16 which is latest..
https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner/releases/tag/nfs-subdir-external-provisioner-4.0.16

[james-d-elliott]

Isn't that a helm chart tag, not an image tag? Also that chart uses image tag v4.0.2 which seems consistent with the trivy usage.

[humblec]

Isn't that a helm chart tag, not an image tag? Also that chart uses image tag v4.0.2 which seems consistent with the trivy usage.

Oh.. Looks like the image was not promoted in that case to the registry.. let me check and revert!

[james-d-elliott]

Looks like v4.0.2 is the latest published image by the way (not entirely sure what you meant by promoted, but guessing you meant it's not configured in the chart): https://k8s.gcr.io/v2/sig-storage/nfs-subdir-external-provisioner/tags/list

[yonatankahana]

the latest provisioner version is 4.0.2.
the latest helm version is 4.0.16 which defaults to v4.0.2 image tag.

it seems that most of the vulnerabilities already solved in our master branch, but not yet released as an official image, and there is still one to go.

2022-05-25T20:01:41.553+0300	INFO	Detected OS: debian
2022-05-25T20:01:41.553+0300	INFO	Detecting Debian vulnerabilities...
2022-05-25T20:01:41.553+0300	INFO	Number of language-specific files: 1
2022-05-25T20:01:41.553+0300	INFO	Detecting gobinary vulnerabilities...

quay.io/yonatankahana/nfs-subdir-external-provisioner:master-20220525-amd64 (debian 11.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


nfs-subdir-external-provisioner (gobinary)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬───────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │         Installed Version          │           Fixed Version           │                       Title                       │
├─────────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2022-27191 │ HIGH     │ v0.0.0-20220214200702-86341886e292 │ 0.0.0-20220315160706-3147a52a75dd │ golang: crash in a golang.org/x/crypto/ssh server │
│                     │                │          │                                    │                                   │ https://avd.aquasec.com/nvd/cve-2022-27191        │
└─────────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴───────────────────────────────────────────────────┘

until an official version released, if you must, you can use this unofficial image of my fork that have 0 vulnerabilities: quay.io/yonatankahana/nfs-subdir-external-provisioner:pr207

(for helm use: --set image.repository=quay.io/yonatankahana/nfs-subdir-external-provisioner,image.tag=pr207)

[larsonreever]

in addition the fixes already done to solve vulnerabilities , above new github action allows us to make sure we will keep it that way in the future by running trivy scan on any pull request (and every push to master) and fail if any vulnerability found (and can be fixed).
Thanks.

[yonatankahana]

in addition the fixes already done to solve vulnerabilities , above new github action allows us to make sure we will keep it that way in the future by running trivy scan on any pull request (and every push to master) and fail if any vulnerability found (and can be fixed). Thanks.

follow #211

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[0Styless]

Is there anything new to this?
I saw there is a new helm release 4.0.17 but the image version is still on v4.0.2.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[0Styless]

/remove-lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[0Styless]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[yonatankahana]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[cdm-arm]

Hi @yonatankahana - as #287 was merged two weeks ago, is there a chance the 4.0.3 will happen?

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.