Docker Distribution dependency with High CVE

[fernandoalexandre]

Bug Report

What did you do?

SNYK is currently triggering a High vulnerability alert related to docker distribution dependency when scanning operator images.

What did you expect to see?

No alerts in SNYK.

What did you see instead? Under which circumstances?

We are currently experiencing a High (CVE-2017-11468) vulnerability alert in SNYK scans for our Operator Images related to docker distribution version having a DDoS vulnerability.

After some digging, we found the following code in go.mod:

244.   // latest tag resolves to a very old version. this is only used for spinning up local test registries
245.   github.com/docker/distribution => github.com/docker/distribution v0.0.0-20191216044856-a8371794149d

Environment

Operator type:

/language helm

Kubernetes cluster type:

EKS

$ operator-sdk version

operator-sdk version: "v1.30.0", commit: "b794fe909abc1affa1f28cfb75ceaf3bf79187e6", kubernetes version: "v1.26.0", go version: "go1.20.5", GOOS: "darwin", GOARCH: "amd64"

$ go version (if language is Go)

go version go1.20.5 darwin/amd64

$ kubectl version

Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:58:30Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"darwin/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.12-eks-2d98532", GitCommit:"0aa16cf4fac4da27b9e9e9ba570b990867f6a3d8", GitTreeState:"clean", BuildDate:"2023-07-28T16:52:04Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}

Possible Solution

Update this dependency version (although not sure there are hidden issues with this update).

Additional context

[fernandoalexandre]

@varshaprasad96 Any news? This was tagged as v1.31.1 and while v1.32.0 was released already it seems this fix didn't get included.

[varshaprasad96]

@fernandoalexandre Based on go.mod looks like the this package comes in because of operator-registry. See:

➜  operator-sdk git:(bump/k8s-1.27) go mod why github.com/docker/distribution
# github.com/docker/distribution
github.com/operator-framework/operator-sdk/internal/cmd/operator-sdk/bundle/validate
github.com/operator-framework/operator-registry/pkg/image
github.com/operator-framework/operator-registry/pkg/image.test
github.com/docker/distribution

Looks like the recent version of operator-registry is using v2.8.2: https://github.com/operator-framework/operator-registry/blob/b1374806c6d9028eb4cfe4343eb1a25002690237/go.mod#L10

While bumping operator registry, this dependency can be bumped and tagged to the same version. @everettraven can you take care of this in your k8s bump PR, as that is where operator-registry is going to be bumped. In terms of timeline, we are hoping to get in the k8s 1.27 by next release, which would be 1.33.0.

[fgiloux]

Unfortunately the version is pinned here
The containerd version, which is also pinned could also be looked at as part of this issue. It has a few CVEs, among them CVE-2022-23648 is rated high.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci]

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.