Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v2.2.0-eks-1-18-5 has 1 High + 15 others vulnerabilities #116

Closed
gonzalobarbitta opened this issue Jun 28, 2021 · 4 comments
Closed

v2.2.0-eks-1-18-5 has 1 High + 15 others vulnerabilities #116

gonzalobarbitta opened this issue Jun 28, 2021 · 4 comments

Comments

@gonzalobarbitta
Copy link

Good afternoon,

I pulled and pushed v2.2.0-eks-1-18-5 into an ECR repository in my personal account, and I noticed it has 1 High + 15 others vulnerabilities. I see this also happens for v2.2.0-eks-1-20-1.

Some of these vulnerabilities are:

  • ALAS2-2021-1655 (High)
  • ALAS2-2021-1653 (Medium)
  • ALAS2-2021-1656 (Medium)

Would it be possible to release a new image anytime soon that addresses these vulnerabilities? Would you like me to take a look at this myself and submit a PR?

Thanks!

@msau42
Copy link
Collaborator

msau42 commented Jun 29, 2021

Here is the base image we use: https://github.com/kubernetes-csi/livenessprobe/blob/master/Dockerfile#L15

Can you try pulling the 2.3.0 tag from k8s.gcr.io/sig-storage/livenessprobe to see if it still shows up in your scan? You can also try our canary image at gcr.io/k8s-staging-sig-storage/livenessprobe:canary. If those are still showing issues, then we need to ask https://github.com/GoogleContainerTools/distroless to update to get the fix.

@gonzalobarbitta
Copy link
Author

Thanks @msau42 for the prompt response.

I can confirm k8s.gcr.io/sig-storage/livenessprobe:v2.3.0 does not present any vulnerability (nor does v2.2.0).
I now realize I may have reported this in the wrong place. I see these vulnerabilities in Amazon's distribution for EKS: https://gallery.ecr.aws/eks-distro/kubernetes-csi/livenessprobe

I assumed this was somehow using v.2.2.0 as the base image and vulnerability may be coming from there, but I guess I was wrong. Sorry for the confusion. Please feel free to close this.

@msau42
Copy link
Collaborator

msau42 commented Jun 29, 2021

Thanks for confirming!

/close

@k8s-ci-robot
Copy link
Contributor

@msau42: Closing this issue.

In response to this:

Thanks for confirming!

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

verult pushed a commit to verult/livenessprobe that referenced this issue Aug 18, 2021
1d60e77 Merge pull request kubernetes-csi#131 from pohly/kubernetes-1.20-tag
9f10459 prow.sh: support building Kubernetes for a specific version
fe1f284 Merge pull request kubernetes-csi#121 from kvaps/namespace-check
8fdf0f7 Merge pull request kubernetes-csi#128 from fengzixu/master
1c94220 fix: fix a bug of csi-sanity
a4c41e6 Merge pull request kubernetes-csi#127 from pohly/fix-boilerplate
ece0f50 check namespace for snapshot-controller
dbd8967 verify-boilerplate.sh: fix path to script
9289fd1 Merge pull request kubernetes-csi#125 from sachinkumarsingh092/optional-spelling-boilerplate-checks
ad29307 Make the spelling and boilerplate checks optional
5f06d02 Merge pull request kubernetes-csi#124 from sachinkumarsingh092/fix-spellcheck-boilerplate-tests
48186eb Fix spelling and boilerplate errors
71690af Merge pull request kubernetes-csi#122 from sachinkumarsingh092/include-spellcheck-boilerplate-tests
981be3f Adding spelling and boilerplate checks.
2bb7525 Merge pull request kubernetes-csi#117 from fengzixu/master
3b6d17b Merge pull request kubernetes-csi#118 from pohly/cloud-build-timeout
9318c6c cloud build: double the timeout, now 1 hour
4ab8b15 use the tag to replace commit of csi-test
5d74e45 change the csi-test import path to v4
7dcd0a9 upgrade csi-test to v4.0.2
86ff580 Merge pull request kubernetes-csi#116 from andyzhangx/export-image-name
c3a9662 allow export image name and registry name

git-subtree-dir: release-tools
git-subtree-split: 1d60e7792624a9938c0bd1b045211fbb89e513d6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants