-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker Distribution dependency with High CVE #6569
Comments
@varshaprasad96 Any news? This was tagged as v1.31.1 and while v1.32.0 was released already it seems this fix didn't get included. |
@fernandoalexandre Based on
Looks like the recent version of operator-registry is using v2.8.2: https://github.com/operator-framework/operator-registry/blob/b1374806c6d9028eb4cfe4343eb1a25002690237/go.mod#L10 While bumping operator registry, this dependency can be bumped and tagged to the same version. @everettraven can you take care of this in your k8s bump PR, as that is where operator-registry is going to be bumped. In terms of timeline, we are hoping to get in the k8s 1.27 by next release, which would be 1.33.0. |
Unfortunately the version is pinned here |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
@openshift-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Bug Report
What did you do?
SNYK is currently triggering a
High
vulnerability alert related to docker distribution dependency when scanning operator images.What did you expect to see?
No alerts in SNYK.
What did you see instead? Under which circumstances?
We are currently experiencing a
High
(CVE-2017-11468) vulnerability alert in SNYK scans for our Operator Images related to docker distribution version having a DDoS vulnerability.After some digging, we found the following code in go.mod:
Environment
Operator type:
/language helm
Kubernetes cluster type:
EKS
$ operator-sdk version
operator-sdk version: "v1.30.0", commit: "b794fe909abc1affa1f28cfb75ceaf3bf79187e6", kubernetes version: "v1.26.0", go version: "go1.20.5", GOOS: "darwin", GOARCH: "amd64"
$ go version
(if language is Go)go version go1.20.5 darwin/amd64
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:58:30Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.12-eks-2d98532", GitCommit:"0aa16cf4fac4da27b9e9e9ba570b990867f6a3d8", GitTreeState:"clean", BuildDate:"2023-07-28T16:52:04Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}
Possible Solution
Update this dependency version (although not sure there are hidden issues with this update).
Additional context
The text was updated successfully, but these errors were encountered: