CVE in v2.11.0 Image #2349
Comments
k8s-ci-robot
added
the
needs-triage
|
This issue is currently awaiting triage. If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Could you run with main branch again? #2352 was merged recently. |
|
@CatherineF-dev i built the image locally . that image seems to be clear of any vulnerability. However is the main branch image published anywhere. Do you know when v2.12.0 will be released. |
|
Could you verify v2.12.0? Seems released #2335 |
|
hi @CatherineF-dev i see #2335 is merged but it is not released yet it seems. |
|
Could you try again |
|
Thanks a ton @CatherineF-dev |
Ran image Scan docker scout cves registry.k8s.io/kube-state-metrics/kube-state-metrics:v2.11.0 and found CVE:
Packages and Vulnerabilities
https://scout.docker.com/v/CVE-2024-24786
GHSA-8r3f-844c-mc37
CVE report should be clean:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
I see 3 open PRs #2342 #2341 #2340 which reference this issue.
I see based on GHSA-8r3f-844c-mc37 that issue is related to protobuf, ran a go mod why to check from which dependency these indirect dependency are arising. It seems it is due to prometheus
I am willing to contribute to fix the issue in case the og contributors need any help
Environment:
kubectl version): NAThe text was updated successfully, but these errors were encountered: