Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm chartmuseum image vulnerabilities #512

Closed
olivejing opened this issue Dec 16, 2021 · 10 comments
Closed

helm chartmuseum image vulnerabilities #512

olivejing opened this issue Dec 16, 2021 · 10 comments
Labels
dependencies Pull requests that update a dependency file

Comments

@olivejing
Copy link

olivejing commented Dec 16, 2021
edited
Loading

I used v0.13.1, helm chartmuseum image vulnerabilities were found during trivy scan.

LIBRARY FIXED VERSION VULNERABILITY ID SEVERITY
github.com/containerd/containerd v1.4.11, v1.5.7 CVE-2021-41103 HIGH
github.com/containerd/containerd v1.4.8, v1.5.4 CVE-2021-32760 MEDIUM
github.com/dgrijalva/jwt-go Unknown CVE-2020-26160 HIGH
github.com/docker/cli v20.10.9 CVE-2021-41092 HIGH
github.com/docker/distribution v2.7.0-rc.0+incompatible CVE-2017-11468 HIGH
github.com/opencontainers/runc v1.0.0-rc8.0.20190930145003-cad42f6e0932 CVE-2019-16884 HIGH
github.com/opencontainers/runc v1.0.0-rc9.0.20200122160610-2fc03cc11c77 CVE-2019-19921 HIGH
github.com/satori/go.uuid v1.2.1-0.20181016170032-d91630c85102 GO-2020-0018 UNKNOWN
@scbizu scbizu added the dependencies Pull requests that update a dependency file label Dec 17, 2021
@cbuto cbuto mentioned this issue Jan 23, 2022
Merged
@cbuto
Copy link
Contributor

cbuto commented Jan 25, 2022

hi @olivejing, most of these findings have been resolved and will be included in the next release. There are a few related to various transitive dependencies (like github.com/dgrijalva/jwt-go) that need to be tracked down.

@scbizu
Copy link
Contributor

scbizu commented Jan 26, 2022

Also see https://artifacthub.io/packages/helm/chartmuseum/chartmuseum?modal=security-report for more image vulnerabilities .

@nerdeveloper
Copy link
Member

is it better to use a versioned alpine image:

chartmuseum/Dockerfile

Line 1 in c2b91a0

FROM alpine:latest

Also by default, if we release 0.15.0, it is expected that It will use the latest version of alpine; which will automatically fix the vulnerability issue @cbuto Correct?

@cbuto
Copy link
Contributor

cbuto commented Mar 22, 2022

@nerdeveloper yep a new release will pull the latest version.

All of these have been resolved besides CVE-2020-26160, but lets track that one in #567 and close this issue.

@cbuto cbuto closed this as completed Mar 22, 2022
@scbizu
Copy link
Contributor

scbizu commented Mar 23, 2022

@cbuto jwt-go is an indirect dependency and is included by our upstream's upstream :(

@scbizu
Copy link
Contributor

scbizu commented Mar 23, 2022
edited
Loading

I prefer to reopen this issue to track containerd's security issue reported by our dependabot bot here , and also depends on helm's upgrade helm/helm#10717

@scbizu scbizu reopened this Mar 23, 2022
@cbuto
Copy link
Contributor

cbuto commented Mar 23, 2022
edited
Loading

@scbizu the containerd CVEs reported in this issue are different then the CVE that dependabot is reporting. These CVEs have been resolved.

@scbizu
Copy link
Contributor

scbizu commented Mar 23, 2022

oh, sorry . Should we close this one and open a new issue to track ?

@cbuto
Copy link
Contributor

cbuto commented Mar 23, 2022

No problem! Yeah it might be a good idea to track that one separately

@scbizu
Copy link
Contributor

scbizu commented Mar 24, 2022

Closes this one due to the #568 will track all CVE issues

@scbizu scbizu closed this as completed Mar 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@scbizu @nerdeveloper @cbuto @olivejing