Image scanning has detected CRITICAL vulnerabilities
GiuseppeChiesa-TomTom opened this issue · 3 comments
Summary
As part of our onboarding process we scan for fixable critical vulnerabilities the image we consume.
We detected the lates version of argocd-extensions version v0.2.1 contains critical vulnerabilities
Diagnostics
❯ docker run aquasec/trivy image --ignore-unfixed --exit-code 1 --severity CRITICAL ghcr.io/argoproj-labs/argocd-extensions:v0.2.1
2023-06-15T13:53:41.538Z INFO Need to update DB
2023-06-15T13:53:41.538Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-15T13:53:41.538Z INFO Downloading DB...
2023-06-15T13:53:51.129Z INFO Vulnerability scanning is enabled
2023-06-15T13:53:51.129Z INFO Secret scanning is enabled
2023-06-15T13:53:51.129Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-15T13:53:51.129Z INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-15T13:53:58.777Z INFO Detected OS: alpine
2023-06-15T13:53:58.777Z INFO Detecting Alpine vulnerabilities...
2023-06-15T13:53:58.779Z INFO Number of language-specific files: 1
2023-06-15T13:53:58.779Z INFO Detecting gobinary vulnerabilities...
ghcr.io/argoproj-labs/argocd-extensions:v0.2.1 (alpine 3.16.2)
==============================================================
Total: 7 (CRITICAL: 7)
┌────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ git │ CVE-2022-23521 │ CRITICAL │ 2.36.3-r0 │ 2.36.4-r0 │ git: gitattributes parsing integer overflow │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-23521 │
│ ├────────────────┤ │ │ ├───────────────────────────────────────────────────────────┤
│ │ CVE-2022-41903 │ │ │ │ git: Heap overflow in `git archive`, `git log --format` │
│ │ │ │ │ │ leading to RCE... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41903 │
├────────────────────────┼────────────────┤ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcurl │ CVE-2023-23914 │ │ 7.83.1-r4 │ 7.83.1-r6 │ HSTS ignored on multiple requests │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-23914 │
│ ├────────────────┤ │ ├───────────────┼───────────────────────────────────────────────────────────┤
│ │ CVE-2023-28322 │ │ │ 8.1.0-r0 │ more POST-after-PUT confusion │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28322 │
├────────────────────────┼────────────────┤ ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ openssh-client-common │ CVE-2023-28531 │ │ 9.0_p1-r2 │ 9.0_p1-r3 │ openssh: smartcard keys to ssh-agent without the intended │
│ │ │ │ │ │ per-hop destination constraints. │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-28531 │
├────────────────────────┤ │ │ │ │ │
│ openssh-client-default │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
├────────────────────────┤ │ │ │ │ │
│ openssh-keygen │ │ │ │ │ │
│ │ │ │ │ │ │
│ │ │ │ │ │ │
└────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘
Message from the maintainers:
Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
This repo is built on alpine:latest. I just built locally and the scan passed. It seems like the only thing we need is a new build of the same code.
@zachaller can we get a rebuild released?
This repo is built on
alpine:latest. I just built locally and the scan passed. It seems like the only thing we need is a new build of the same code.@zachaller can we get a rebuild released?
Just bumping this as it's been 7 weeks since the request, and nearly 5 months since the original report. I'm running into the same issue now and it's blocking progress. If there's anything I can do to help, please let me know.
Welp, answer provided! https://github.com/argoproj-labs/argocd-extensions/blob/main/README.md#deprecation-notice
Good news is that the switch was incredibly easy.