Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add vulnerability scanning to cloudbuild_kustomize_image #4264

Closed
wants to merge 1 commit into from
Closed

Add vulnerability scanning to cloudbuild_kustomize_image #4264

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion releasing/cloudbuild_kustomize_image.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ steps:
- "PROJECT_ID=$PROJECT_ID"
- "_GIT_TAG=$_GIT_TAG"
- "_PULL_BASE_REF=$_PULL_BASE_REF"
# We need to use bash to configure the build date and version properly.
- "_SEVERITY=$_SEVERITY"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we only want to add this vulnerability check for building kustomize docker image and not in https://github.com/kubernetes-sigs/kustomize/blob/master/releasing/cloudbuild.yaml for the binaries?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. This vulnerability check is using gcloud to scan the kustomize image, while releasing/cloudbuild.yaml builds the kustomize binary. I don't think cloudbuild provides officially solutions to scan go source code (and to implement our own seems an overkill). I'd prefer just scanning the image based on what the current cloudbuild has.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we scanning the image, not the binary, is this going to tell us anything about Kustomize itself? Or is it just going to tell us we need to bump the version of alpine we're adding the binary to? I'm surprised to hear that given that the explanation of this feature in #4238 was to enhance Kustomize security. We don't have data on this, but I expect a minority of our users are running the image.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"enhance Kustomize security" -> base image and the kustomize code are treated as a whole, right?

Copy link
Contributor Author

@yuwenma yuwenma Nov 4, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm originally thinking of both (binary and image).

For kustomize binary, if we don't provide LTS kustomize version, I'm not bothered to setup a vulnerability check. If we are interested in current vulnerability status of kustomize, here's what I found:

https://github.com/securego/gosec But I think it has two potential issues.

  1. It uses Apache 2.0 license. So I doubt if we really want to add it to the kustomize source code (so that we can have a "gosec ./... " check added to the kustomize presubmit make rules like verify-kustomize) , or merely install gosec separately and only run in local development.
  2. I also did a gosec check against kustomize HEAD. Here's what I get so far. No high severity issues. But if we do want to enable gosec, either fixing some of these issues or exclude some checks via flag --exclude=.
[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/internal/plugins/compiler/compiler.go:80] - G204 (CWE-78): Subprocess launched with variable (Confidence: HIGH, Severity: MEDIUM)
    79: 	}
  > 80: 	cmd := exec.Command(goBin, commands...)
    81: 	b.stderr.Reset()



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/plugin/builtin/helmchartinflationgenerator/HelmChartInflationGenerator.go:145] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    144: 	stderr := new(bytes.Buffer)
  > 145: 	cmd := exec.Command(p.h.GeneralConfig().HelmConfig.Command, args...)
    146: 	cmd.Stdout = stdout



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/fn/runtime/exec/exec.go:31] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    30: func (c *Filter) Run(reader io.Reader, writer io.Writer) error {
  > 31: 	cmd := exec.Command(c.Path, c.Args...)
    32: 	cmd.Stdin = reader



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/gorepomod/internal/edit/editor.go:27-29] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    26: func (e *Editor) run(args ...string) error {
  > 27: 	c := exec.Command(
  > 28: 		"go",
  > 29: 		append([]string{"mod"}, args...)...)
    30: 	c.Dir = string(e.module.ShortName())



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/config/internal/commands/cmdxargs.go:102] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    101: 	r.Args = r.Args[cmdIndex:]
  > 102: 	run := exec.Command(r.Args[0])
    103: 



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/internal/plugins/execplugin/execplugin.go:169-170] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    168: 	//nolint:gosec
  > 169: 	cmd := exec.Command(
  > 170: 		p.path, append([]string{f.Name()}, p.args...)...)
    171: 	cmd.Env = p.getEnv()



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/builtins/HelmChartInflationGenerator.go:140] - G204 (CWE-78): Subprocess launched with a potential tainted input or cmd arguments (Confidence: HIGH, Severity: MEDIUM)
    139: 	stderr := new(bytes.Buffer)
  > 140: 	cmd := exec.Command(p.h.GeneralConfig().HelmConfig.Command, args...)
    141: 	cmd.Stdout = stdout



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/yaml/rnode.go:55] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    54: func ReadFile(path string) (*RNode, error) {
  > 55: 	b, err := ioutil.ReadFile(path)
    56: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/openapi/openapi.go:125] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    124: func parseOpenAPI(openAPIPath string) (*yaml.RNode, error) {
  > 125: 	b, err := ioutil.ReadFile(openAPIPath)
    126: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/kio/pkgio_writer.go:91] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    90: 
  > 91: 		f, err := os.OpenFile(outputPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, os.FileMode(0600))
    92: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/kio/pkgio_reader.go:266] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    265: func (r *LocalPackageReader) readFile(path string, _ os.FileInfo) ([]*yaml.RNode, error) {
  > 266: 	f, err := os.Open(path)
    267: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/fn/framework/command/command.go:141] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    140: func functionConfigFromFile(file string) (*yaml.RNode, error) {
  > 141: 	b, err := ioutil.ReadFile(file)
    142: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/filesys/fsondisk.go:117] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    116: // ReadFile delegates to ioutil.ReadFile.
  > 117: func (fsOnDisk) ReadFile(name string) ([]byte, error) { return ioutil.ReadFile(name) }
    118: 



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/filesys/fsondisk.go:43] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    42: // Open delegates to os.Open.
  > 43: func (fsOnDisk) Open(name string) (File, error) { return os.Open(name) }
    44: 



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/copyutil/copyutil.go:165] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    164: 
  > 165: 	input, err := ioutil.ReadFile(src)
    166: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/copyutil/copyutil.go:119] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    118: 		}
  > 119: 		b2, err := ioutil.ReadFile(filepath.Join(sourceDir, f))
    120: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/copyutil/copyutil.go:115] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    114: 		// compare upstreamFiles
  > 115: 		b1, err := ioutil.ReadFile(filepath.Join(destDir, f))
    116: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/copyutil/copyutil.go:44] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    43: 		// copy file by reading and writing it
  > 44: 		b, err := ioutil.ReadFile(filepath.Join(src, copyTo))
    45: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/pluginator/internal/krmfunction/converter.go:148] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    147: 	p := c.outputDir
  > 148: 	f, err := os.Open(p)
    149: 	if err == nil || f != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/pluginator/internal/krmfunction/converter.go:139] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    138: func (c *Converter) readDiskFile(path string) (string, error) {
  > 139: 	f, err := ioutil.ReadFile(path)
    140: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/pluginator/internal/builtinplugin/builtinplugin.go:35] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    34: 	}
  > 35: 	file, err := os.Open(root + ".go")
    36: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/mdtogo/main.go:99] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    98: 	} else {
  > 99: 		b, err := ioutil.ReadFile(licenseFile)
    100: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/mdtogo/main.go:82] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    81: 		}
  > 82: 		b, err := ioutil.ReadFile(filepath.Join(source, f.Name()))
    83: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/k8scopy/internal/modulespec.go:28] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    27: func ReadSpec(fileName string) *ModuleSpec {
  > 28: 	bytes, err := ioutil.ReadFile(fileName)
    29: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/k8scopy/internal/copier.go:75-76] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    74: func (c Copier) CopyFile(dir, fName string) error {
  > 75: 	inFile, err := os.Open(
  > 76: 		filepath.Join(c.goModCache, c.spec.Name(), dir, fName))
    77: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/gorepomod/internal/repo/protomodule.go:68] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    67: 	mPath := filepath.Join(path, goModFile)
  > 68: 	content, err := ioutil.ReadFile(mPath)
    69: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/config/internal/commands/cmdcreatesetter.go:214] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
    213: 	}
  > 214: 	sch, err := ioutil.ReadFile(schemaPath)
    215: 	if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/openapi/kustomizationapi/swagger.go:28] - G110 (CWE-409): Potential DoS vulnerability via decompression bomb (Confidence: MEDIUM, Severity: MEDIUM)
    27: 	var buf bytes.Buffer
  > 28: 	_, err = io.Copy(&buf, gz)
    29: 	clErr := gz.Close()



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/openapi/kubernetesapi/v1204/swagger.go:28] - G110 (CWE-409): Potential DoS vulnerability via decompression bomb (Confidence: MEDIUM, Severity: MEDIUM)
    27: 	var buf bytes.Buffer
  > 28: 	_, err = io.Copy(&buf, gz)
    29: 	clErr := gz.Close()



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/plugin/builtin/prefixsuffixtransformer/PrefixSuffixTransformer.go:68] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    67: 			// TODO: move this test into the filter.
  > 68: 			if smellsLikeANameChange(&fs) {
    69: 				// "metadata/name" is the only field.



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/types/helmchartargs.go:100] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    99: 	for _, old := range oldArgs {
  > 100: 		charts = append(charts, makeHelmChartFromHca(&old))
    101: 		if old.HelmHome != "" {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/resmap/factory.go:107] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    106: 	for _, args := range argsList {
  > 107: 		res, err := rmF.resF.MakeSecret(kvLdr, &args)
    108: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/resmap/factory.go:82] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    81: 	for _, args := range argList {
  > 82: 		res, err := rmF.resF.MakeConfigMap(kvLdr, &args)
    83: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/filters/replacement/replacement.go:52] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    51: 			for _, id := range ids {
  > 52: 				if id.IsSelectedBy(t.Select.ResId) && !rejectId(t.Reject, &id) {
    53: 					err := applyToNode(n, value, t)



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/filters/replacement/replacement.go:26] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    25: 		}
  > 26: 		value, err := getReplacement(nodes, &r)
    27: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/builtins/PrefixSuffixTransformer.go:64] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
    63: 			// TODO: move this test into the filter.
  > 64: 			if smellsLikeANameChange(&fs) {
    65: 				// "metadata/name" is the only field.



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/pluginator/internal/krmfunction/converter.go:153] - G301 (CWE-276): Expect directory permissions to be 0750 or less (Confidence: HIGH, Severity: MEDIUM)
    152: 
  > 153: 	return os.MkdirAll(p, 0755)
    154: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/k8scopy/internal/writer.go:19] - G301 (CWE-276): Expect directory permissions to be 0750 or less (Confidence: HIGH, Severity: MEDIUM)
    18: func newWriter(toDir, name string) (*writer, error) {
  > 19: 	if err := os.MkdirAll(toDir, 0755); err != nil {
    20: 		log.Printf("unable to create directory: %s", toDir)



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/plugin/builtin/helmchartinflationgenerator/HelmChartInflationGenerator.go:219] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    218: 	path := filepath.Join(p.tmpDir, p.Name+"-kustomize-values.yaml")
  > 219: 	return path, ioutil.WriteFile(path, b, 0644)
    220: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/filesys/fsondisk.go:121] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    120: func (fsOnDisk) WriteFile(name string, c []byte) error {
  > 121: 	return ioutil.WriteFile(name, c, 0666)
    122: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/pluginator/internal/krmfunction/converter.go:159] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    158: 		p := filepath.Join(c.outputDir, k)
  > 159: 		err := ioutil.WriteFile(p, []byte(v), 0644)
    160: 		if err != nil {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/builtins/HelmChartInflationGenerator.go:214] - G306 (CWE-276): Expect WriteFile permissions to be 0600 or less (Confidence: HIGH, Severity: MEDIUM)
    213: 	path := filepath.Join(p.tmpDir, p.Name+"-kustomize-values.yaml")
  > 214: 	return path, ioutil.WriteFile(path, b, 0644)
    215: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/kio/pkgio_writer.go:96] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    95: 		if err := func() error {
  > 96: 			defer f.Close()
    97: 			w := ByteWriter{



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/kio/pkgio_reader.go:270] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    269: 	}
  > 270: 	defer f.Close()
    271: 



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/pluginator/internal/builtinplugin/builtinplugin.go:39] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    38: 	}
  > 39: 	defer file.Close()
    40: 	scanner := bufio.NewScanner(file)



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/k8scopy/internal/copier.go:80] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    79: 	}
  > 80: 	defer inFile.Close()
    81: 	scanner := bufio.NewScanner(inFile)



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/gorepomod/internal/gen/main.go:21] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    20: 	}
  > 21: 	defer inFile.Close()
    22: 	scanner := bufio.NewScanner(inFile)



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/config/internal/commands/cat.go:89] - G307 (CWE-703): Deferring unsafe method "Close" on type "*os.File" (Confidence: HIGH, Severity: MEDIUM)
    88: 		}
  > 89: 		defer o.Close()
    90: 		writer = o



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/plugin/builtin/helmchartinflationgenerator/HelmChartInflationGenerator.go:224] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    223: 	if p.tmpDir != "" {
  > 224: 		os.RemoveAll(p.tmpDir)
    225: 	}



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/yaml/rnode.go:408] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    407: func (rn *RNode) SetApiVersion(av string) {
  > 408: 	rn.SetMapField(NewScalarRNode(av), APIVersionField)
    409: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/yaml/rnode.go:395] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    394: func (rn *RNode) SetKind(k string) {
  > 395: 	rn.SetMapField(NewScalarRNode(k), KindField)
    396: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/kio/testing.go:54] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    53: func (s Setup) Clean() {
  > 54: 	os.RemoveAll(s.Root)
    55: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/filesys/fsnode.go:557-570] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    556: func (n *fsNode) DebugPrint() {
  > 557: 	n.WalkMe(func(path string, info os.FileInfo, err error) error {
  > 558: 		if err != nil {
  > 559: 			fmt.Printf("err '%v' at path %q\n", err, path)
  > 560: 			return nil
  > 561: 		}
  > 562: 		if info.IsDir() {
  > 563: 			if info.Size() == 0 {
  > 564: 				fmt.Println("empty dir: " + path)
  > 565: 			}
  > 566: 		} else {
  > 567: 			fmt.Println("     file: " + path)
  > 568: 		}
  > 569: 		return nil
  > 570: 	})
    571: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kyaml/filesys/fsnode.go:544-552] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    543: 	count := 0
  > 544: 	n.WalkMe(func(path string, info os.FileInfo, err error) error {
  > 545: 		if err != nil {
  > 546: 			return err
  > 547: 		}
  > 548: 		if !info.IsDir() {
  > 549: 			count++
  > 550: 		}
  > 551: 		return nil
  > 552: 	})
    553: 	return count



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kustomize/commands/openapi/fetch/fetch.go:60] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    59: 	output := stdout.Bytes()
  > 60: 	json.Unmarshal(output, &jsonSchema)
    61: 	output, _ = json.MarshalIndent(jsonSchema, "", "  ")



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/kustomize/commands/commands.go:63] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    62: 	// https://github.com/kubernetes/kubernetes/issues/17162
  > 63: 	flag.CommandLine.Parse([]string{})
    64: 	return c



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/k8scopy/internal/writer.go:32] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    31: func (w *writer) close() {
  > 32: 	w.f.Close()
    33: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/cmd/config/kubectl-krm/main.go:16] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    15: func main() {
  > 16: 	os.Setenv(commandutil.EnableAlphaCommmandsEnvName, "true")
    17: 	cmd := configcobra.AddCommands(&cobra.Command{



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/testutils/kusttest/plugintestenv.go:78] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    77: 	if x.wasSet {
  > 78: 		os.Setenv(konfig.KustomizePluginHomeEnv, x.oldXdg)
    79: 	} else {



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/testutils/kusttest/plugintestenv.go:73] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    72: 	x.oldXdg, x.wasSet = os.LookupEnv(konfig.KustomizePluginHomeEnv)
  > 73: 	os.Setenv(konfig.KustomizePluginHomeEnv, x.pluginRoot)
    74: }



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/testutils/kusttest/harnessenhanced.go:112] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    111: 		}
  > 112: 		os.RemoveAll(th.ldr.Root())
    113: 	}



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/internal/target/kusttarget.go:79] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    78: 	b, _ := json.Marshal(*kt.kustomization)
  > 79: 	json.Unmarshal(b, &result)
    80: 	return result



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/internal/generators/secret.go:57] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    56: 	copyLabelsAndAnnotations(rn, args.Options)
  > 57: 	setImmutable(rn, args.Options)
    58: 	return rn, nil



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/internal/generators/secret.go:56] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    55: 	}
  > 56: 	copyLabelsAndAnnotations(rn, args.Options)
    57: 	setImmutable(rn, args.Options)



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/hasher/hasher.go:97] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    96: 			var v map[string]interface{}
  > 97: 			json.Unmarshal(vs, &v)
    98: 			values[p] = v



[/Users/yuwenma/go/src/github.com/kubernetes-sigs/kustomize/api/builtins/HelmChartInflationGenerator.go:219] - G104 (CWE-703): Errors unhandled. (Confidence: HIGH, Severity: LOW)
    218: 	if p.tmpDir != "" {
  > 219: 		os.RemoveAll(p.tmpDir)
    220: 	}



Summary:
  Gosec  : dev
  Files  : 439
  Lines  : 51161
  Nosec  : 0
  Issues : 66

For kustomize image, it is officially managed by sig-k8s-infra. either to "bump the version of alpine" or fix other CVE issue the process would be much easier since it does not require rebuilding the yaml/api dependencies or even the kustomize CLI. So IIUC it would be a simplified release. Do you have any additional concerns?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, BTW have we considered to rebase the alpine to distroless-image?

# We need to use bash to configure the build date and version properly.
- name: "gcr.io/cloud-builders/docker"
entrypoint: /bin/bash
args:
Expand All @@ -30,6 +31,23 @@ steps:
--build-arg
DATE=$(date -u +%FT%TZ)
.
- id: scan
name: gcr.io/cloud-builders/gcloud
entrypoint: /bin/bash
args:
- -c
- |
gcloud artifacts docker images scan gcr.io/$PROJECT_ID/kustomize:${_GIT_TAG} \
--format='value(response.scan)' > /workspace/scan_id.txt
- id: severity check
name: gcr.io/cloud-builders/gcloud
entrypoint: /bin/bash
args:
- -c
- |
gcloud artifacts docker images list-vulnerabilities $(cat /workspace/scan_id.txt) \
--format='value(vulnerability.effectiveSeverity)' | if grep -Fxq ${_SEVERITY}; \
then echo 'Failed vulnerability check' && exit 1; else exit 0; fi

images:
- "gcr.io/$PROJECT_ID/kustomize:${_GIT_TAG}"
Expand All @@ -42,6 +60,7 @@ substitutions:
# _PULL_BASE_REF will contain the ref that was pushed to to trigger this build -
# a branch like 'master' or 'release-0.2', or a tag like 'v0.2'.
_PULL_BASE_REF: "master"
_SEVERITY: "high"
# Other substitutions will not be evaluated

options:
Expand Down