-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: update runc dependency 5 patch versions to remediate vulnerabilities #131
Conversation
@tianon I read that document and, while I appreciate the need to stay focused on vulnerabilities that directly pertain to Is the expectation that users of the software will simply have to build their own binaries of |
The I would guess that the expectation is that scanners will get better and use deeper static analysis, like Go's |
Perhaps they are wrong, but if so that's likely a contingent fact. It is certainly possible in principle for a vulnerability to impact a language like Go in a way that produces a vulnerable binary from otherwise flawless source code. Theoretical issues aside, the practical reality is that a very significant number of users are beholden to scanners that pay attention to dependencies (including the language). Right now gosu binaries are built with a particular version of Go, that version of Go has critical vulnerabilities associated with it, and so users must make a choice: maintain their own build pipeline for gosu, or don't use gosu. If the answer is that users are expected to maintain the build themselves, that's fine. But important to be clear-eyed and explicit about it. |
Security scanners should improve to remove this busywork from the industry. If You might enjoy opencontainers/runc#3998 (comment) however, which is a proposal which will involve the code we import from |
Look, fine to draw the line wherever you like. But it's important to have a clear-eyed view of what that means for users. Practically speaking, what this means for us is that we will have to compile |
There's a mismatch in the use of the word "vulnerability" here: gosu itself is not vulnerable. It happens to use a library which has some code in it that has a defect (which again, does not affect gosu). |
Please reread my last comment. This is feedback, offered in good faith. Feel free to ignore, but recognize that others can't. |
I think I unfortunately agree with @erickpeirson here, someone from InfoSec can run any security scanner on any docker image we build and they are thrown a list of "high" and "critical" CVEs all coming from this package, they aren't going to easily buy "trust me it's fine" especially when they pay for the tools that detect these issues. |
runc v1.1.2 and v1.1.5 fix about 2 dozen Common Vulnerabilities and Exposures.
tested locally with: