Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy scan report about opensearchproject/opensearch:1.3.6 #5126

Closed
SpringYang004 opened this issue Nov 8, 2022 · 2 comments
Closed

Trivy scan report about opensearchproject/opensearch:1.3.6 #5126

SpringYang004 opened this issue Nov 8, 2022 · 2 comments
Labels
bug Something isn't working untriaged

Comments

@SpringYang004
Copy link

Describe the bug
Hi, team,
There are some vulnerabilities in "trivy scan report". Is there any plan to upgrade the version of libs to fix them? Thanks.
A clear and concise description of what the bug is.

opensearch-trivy-scan-report.xlsx
@SpringYang004 SpringYang004 added bug Something isn't working untriaged labels Nov 8, 2022
@SpringYang004
Copy link
Author

vulnerabilities include :
amazon
Package Vulnerability ID Severity Installed Version Fixed Version
glibc CVE-2021-3999 MEDIUM 2.26-60.amzn2 2.26-61.amzn2
glibc-common CVE-2021-3999 MEDIUM 2.26-60.amzn2 2.26-61.amzn2
glibc-langpack-en CVE-2021-3999 MEDIUM 2.26-60.amzn2 2.26-61.amzn2
glibc-minimal-langpack CVE-2021-3999 MEDIUM 2.26-60.amzn2 2.26-61.amzn2
libcrypt CVE-2021-3999 MEDIUM 2.26-60.amzn2 2.26-61.amzn2
libxml2 CVE-2022-29824 MEDIUM 2.9.1-6.amzn2.5.5 2.9.1-6.amzn2.5.6
vim-data CVE-2022-2257 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2264 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2284 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2285 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2286 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2287 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2288 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2289 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2304 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2343 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2344 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2345 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2816 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2817 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2819 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2845 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2849 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2862 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2889 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2946 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2982 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-3016 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-3037 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-3099 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2923 MEDIUM 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-data CVE-2022-2980 MEDIUM 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2257 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2264 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2284 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2285 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2286 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2287 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2288 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2289 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2304 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2343 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2344 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2345 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2816 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2817 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2819 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2845 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2849 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2862 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2889 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2946 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2982 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-3016 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-3037 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-3099 HIGH 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2923 MEDIUM 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
vim-minimal CVE-2022-2980 MEDIUM 2:8.2.5172-1.amzn2.0.1 2:9.0.475-1.amzn2.0.1
zlib CVE-2022-37434 CRITICAL 1.2.7-19.amzn2.0.1 1.2.7-19.amzn2.0.2
jar
Package Vulnerability ID Severity Installed Version Fixed Version
com.fasterxml.jackson.core:jackson-databind CVE-2022-42003 HIGH 2.13.2.2 2.12.7.1, 2.13.4.1
com.fasterxml.jackson.core:jackson-databind CVE-2022-42004 HIGH 2.13.2.2 2.12.7.1, 2.13.4
com.fasterxml.jackson.core:jackson-databind CVE-2022-42003 HIGH 2.13.3 2.12.7.1, 2.13.4.1
com.fasterxml.jackson.core:jackson-databind CVE-2022-42004 HIGH 2.13.3 2.12.7.1, 2.13.4
com.fasterxml.woodstox:woodstox-core CVE-2022-40151 HIGH 6.2.6 5.4.0, 6.4.0
com.fasterxml.woodstox:woodstox-core CVE-2022-40152 HIGH 6.2.6 5.4.0, 6.4.0
com.fasterxml.woodstox:woodstox-core CVE-2022-40153 HIGH 6.2.6 5.4.0, 6.4.0
com.fasterxml.woodstox:woodstox-core CVE-2022-40154 HIGH 6.2.6 5.4.0, 6.4.0
com.fasterxml.woodstox:woodstox-core CVE-2022-40155 HIGH 6.2.6 5.4.0, 6.4.0
com.fasterxml.woodstox:woodstox-core CVE-2022-40156 HIGH 6.2.6 5.4.0, 6.4.0
com.google.protobuf:protobuf-java CVE-2022-3171 MEDIUM 3.19.2 3.16.3, 3.19.6, 3.20.3, 3.21.7
com.google.protobuf:protobuf-java GHSA-h4h5-3hr4-j3g2 UNKNOWN 3.19.2 3.20.3, 3.21.7, 3.16.3, 3.19.6
com.google.protobuf:protobuf-java CVE-2022-3171 MEDIUM 3.19.4 3.16.3, 3.19.6, 3.20.3, 3.21.7
com.google.protobuf:protobuf-java GHSA-h4h5-3hr4-j3g2 UNKNOWN 3.19.4 3.20.3, 3.21.7, 3.16.3, 3.19.6
io.netty:netty-codec CVE-2022-24823 MEDIUM 4.1.72.Final 4.1.77.Final
io.netty:netty-codec-http CVE-2022-24823 MEDIUM 4.1.72.Final 4.1.77.Final
io.netty:netty-codec-http2 CVE-2022-24823 MEDIUM 4.1.72.Final 4.1.77.Final
io.netty:netty-handler CVE-2022-24823 MEDIUM 4.1.72.Final 4.1.77.Final
org.apache.commons:commons-text CVE-2022-42889 CRITICAL 1.9 1.10.0
org.jsoup:jsoup CVE-2022-36033 MEDIUM 1.14.3 1.15.3
org.yaml:snakeyaml CVE-2022-38752 MEDIUM 1.31 1.32

@davidlago
Copy link

Hi @SpringYang004. TL;DR: yes.

Long answer: we try to follow OpenSSF's best practices and fix all MEDIUM+ vulns within 60 days of publication (see https://opensearch.org/releases.html#maintenance-policy), so we'll update dependencies with vulnerabilities in our upcoming 1.3.7 (currently scheduled for 12/8).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidlago @SpringYang004