controlplaneio/kubesec

CVE-2020-29652

tspearconquest opened this issue · 2 comments

tspearconquest commented

Describe the bug
CVE-2020-29652 -- golang x/crypto package
In go's crypto package, a bug was reported last year which has been patched already.
Unfortunately kubesec is still using an old version of this library and attempts to reach your team via the email address security@control-plane.io were bounced.

To Reproduce
Steps to reproduce the behaviour:

docker pull kubesec/kubesec:latest
docker run --rm -v "$(pwd)":/tmp -v /var/run/docker.sock:/var/run/docker.sock aquasecurity/trivy:latest image --no-progress --ignore-unfixed --severity HIGH,CRITICAL --vuln-type library kubesec/kubesec:latest

Actual behaviour
We run Trivy image vulnerability scanner in our CI pipeline to catch any issues such as this before we release software into our environments. This vulnerability has been found and highlighted in kubesec which we hope to deploy soon to our kubernetes clusters.

Expected behaviour
Trivy should find no high or critical CVEs in software incuded with kubesec.

Additional context
We have manually added this CVE to a .trivyignore file so that the pipeline will ignore this CVE, as we know that this issue is not a critical issue to this project. That said, we are reporting the issue in good faith hope that your team will jump on this and release a patch soon regardless.

06kellyjac commented

Thanks for the report.

This was caught by our trivy code analysis 12 days ago but for some reason no one received notification so I'll look into that. I'll also check out why security@control-plane.io bounced!

image

I'll resolve the issue and vendor a new release.

06kellyjac commented 
λ trivy image kubesec/kubesec:2.11.1
2021-05-27T10:20:44.274+0100	INFO	Detecting Alpine vulnerabilities...
2021-05-27T10:20:44.275+0100	INFO	Detecting gobinary vulnerabilities...

kubesec/kubesec:2.11.1 (alpine 3.13.5)
======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


bin/kubesec
===========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

λ trivy image kubesec/kubesec:latest
2021-05-27T10:22:01.855+0100	INFO	Detecting Alpine vulnerabilities...
2021-05-27T10:22:01.856+0100	INFO	Detecting gobinary vulnerabilities...

kubesec/kubesec:latest (alpine 3.13.5)
======================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


bin/kubesec
===========
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)