New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[cinder-csi-plugin] a lot of critical vulnerabilities on Cinder containers #1994
Comments
|
Thanks for reporting this, I didn't expect so much issues in base container .. so from PR I think the bullseye-v1.4.2 is latest security enhanced image so you propose to use it?
|
Hi @jichenjc , Well, the base image used is 2 years old and so we've got a lot of found security issues since. I can propose a patch later on to use renovate (or similar product) that would automate bumping this version. |
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
running trivy on cinder csi containers repors 21 critical vulnerabilities (all being from the container itself), 55 high (1 from actual cinder csi code)
What you expected to happen:
Having the lowest possible number of vulnerabilities, especially critical and high
How to reproduce it:
trivy image docker.io/k8scloudprovider/cinder-csi-plugin:v1.25.0
Anything else we need to know?:
I was thiking on proposing to move to distroless but #1938 seems to indicate we need some binaries in the containers.
I tried to look at code to see exactly which ones are needed but I couldn't find them :/
Environment:
The text was updated successfully, but these errors were encountered: