Web hook docker image built with old go version 1.20.4 and has several CVEs
Closed this issue · 1 comments
BobbySchmitt commented
Describe the bug
The current version of the webhook docker image was built with version 1.20.4 of go which has several CVEs identified.
Steps To Reproduce
Download v1.1.0 of webhook and scan with any docker security tool.
Expected behavior
New releases are made frequently to update the software to latest releases.
Logs
Environment
- Kubernetes version (use
kubectl version): - Cloud provider or hardware configuration:
- OS (e.g:
cat /etc/os-release): - Kernel (e.g.
uname -a): - Install tools:
- Network plugin and version (if this is a network-related bug):
- Others:
Additional context
aramase commented
v1.2.0 was released month and doesn't contain any CVEs.
➜ trivy image --exit-code 1 --severity MEDIUM,HIGH,CRITICAL mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.2.0
2023-11-29T00:52:58.087Z INFO Vulnerability scanning is enabled
2023-11-29T00:52:58.087Z INFO Secret scanning is enabled
2023-11-29T00:52:58.087Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-11-29T00:52:58.087Z INFO Please see also https://aquasecurity.github.io/trivy/v0.39/docs/secret/scanning/#recommendation for faster secret detection
2023-11-29T00:52:59.403Z INFO Detected OS: debian
2023-11-29T00:52:59.403Z INFO Detecting Debian vulnerabilities...
2023-11-29T00:52:59.403Z INFO Number of language-specific files: 1
2023-11-29T00:52:59.403Z INFO Detecting gobinary vulnerabilities...
mcr.microsoft.com/oss/azure/workload-identity/webhook:v1.2.0 (debian 11.8)
Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)