Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test CVE's for QG (Short Notice) #419

Closed
jzbmw opened this issue Feb 14, 2024 · 4 comments
Closed

Test CVE's for QG (Short Notice) #419

jzbmw opened this issue Feb 14, 2024 · 4 comments
Assignees
@ds-ext-kmassalski
Labels
bug Something isn't working spill_over Issues which are not finished yet

Comments

@jzbmw
Copy link
Contributor

jzbmw commented Feb 14, 2024
edited
Loading

FIX:
@jzbmw jzbmw added this to IRS Feb 14, 2024
@jzbmw jzbmw converted this from a draft issue Feb 14, 2024
@jzbmw jzbmw changed the title Test CVE's for QG Test CVE's for QG (Short Notice) Feb 14, 2024
@jzbmw jzbmw added the bug Something isn't working label Feb 14, 2024
@mkanal mkanal mentioned this issue Feb 14, 2024
Closed
20 tasks
@ds-ext-kmassalski
Copy link
Contributor

Expat library is not under our control, it is inside eclipse-temurin image, that we are using in Dockerfile.

It is possible to manually update expat in the container with below command:
RUN apk add --upgrade --no-cache expat
however this is not acceptable by System team, which decision is to put OSS over security:
https://eclipse-tractusx.github.io/docs/release/trg-4/trg-4-02/#use-base-image-as-is

Taking the above into account, we can only wait until there is a new eclipse-temurin image with an upgraded version of the expat library (probably soon, as JDK is already patched, waiting for JRE).

CSRF security finding was fixed.

@ds-ext-kmassalski ds-ext-kmassalski self-assigned this Feb 15, 2024
@mkanal
Copy link
Contributor

mkanal commented Feb 15, 2024
edited
Loading

@ds-ext-kmassalski Please inform DevSecOps Team to be aware that this is located in eclipse-temurin image, and we do not have any troubles regarding this in QG. Thanks. In addition, please take this to the DevSecOps hour tomorrow.

fyi
@jzbmw @ds-jhartmann @ds-ext-sceronik @almadigabor @pablosec @SebastianBezold @scherersebastian

@ds-ext-kmassalski ds-ext-kmassalski moved this from next to wip in IRS Feb 15, 2024
@SebastianBezold
Copy link
Contributor

Hi @ds-ext-kmassalski and @mkanal,

We can definitely talk about it in the office hour again. Just to leave it here as well. @ds-ext-kmassalski is right with what he got from our TRG 4.02. We do indeed use base images as is, without any change.
The base images we aligned on are official ones on DockerHub.
DockerHub is doing container scans for them and is publishing the results in docker-library/repo-info. For our annotations in the "Notice for Docker images", we rely on that info being present. Altering the base image will render these scan results obsolete and our info in the notice wouldn't be correct anymore.

Up until now, there is no process on updating previously released images, in case a vulnerability is fixed in the base image. So if you have any suggestion on such a process, that is overwriting image tags, feel free to suggest it in the office hours or the mailing list

@mkanal mkanal added the spill_over Issues which are not finished yet label Feb 19, 2024
@mkanal mkanal closed this as completed Feb 20, 2024
@mkanal
Copy link
Contributor

mkanal commented Feb 20, 2024

Finds were fixed and migration documented - aligned with devSecOps Team

@ds-jhartmann ds-jhartmann moved this from wip to done in IRS Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ds-ext-kmassalski ds-ext-kmassalski

Labels
bug Something isn't working spill_over Issues which are not finished yet
Projects
IRS
Status: done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SebastianBezold @jzbmw @mkanal @ds-ext-kmassalski