Requesting new image build to remidiate image reporting scan vulnerabilities #210
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Comments
|
Hmm actually let me reopen this until a release is actually made. I'm planning on 1.0.0 next week. |
|
Please try v1.0.0, it's based on that new al2 tag 2.0.20200602.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
/kind bug
What happened?
In order to use external images within our organisation, each images is scanned for vulnerabilities. The current image release v0.3.0 is reporting vulnerabilities and therefore we are not permitted to use this.
What you expected to happen?
Image is available which does not report vulnerabilities
How to reproduce it (as minimally and precisely as possible)?
1. Docker pull the "amazon/aws-efs-csi-driver:v0.3.0" image to local and push it to an ECR repository for scanning the docker image
2. On scanning the docker image "amazon/aws-efs-csi-driver:v0.3.0" in ECR, the "ALAS2-2020-1432" vulnerability was detected.
3. On further checking the EFS github repo, I could see that it is using "amazonlinux:2.0.20200406.0" as the base docker image[1]
4. On checking the vulnerability of the above base image, I could see that this image had the same vulnerability.
Anything else we need to know?:
On checking the amazonlinux dockerhub repo, I could see that a new image was published 7 days ago with the tag [2.0.20200602.0, latest]. On scanning this base image, the vulnerability "ALAS-2020-1432" was not detected in ECR scanning.
image "amazon/aws-efs-csi-driver:v0.3.0
Would it be possible to have a new image published using the latest amazonlinux base image.
The text was updated successfully, but these errors were encountered: