Vulnerabilities to fix (1 HIGH incl.)
Closed this issue · 4 comments
Hey,
The image "quay.io/giantswarm/starboard-exporter:0.7.1" has bunch of vulnerabilities which can be fixed.
Most of them are linked to the Go version used, it seems there is already a PR opened to upgrade it.
Another is linked to Trivy itself which should be updated.
Vulnerability report from Trivy:
➜ trivy image quay.io/giantswarm/starboard-exporter:0.7.10
2024-06-11T15:17:26+02:00 INFO Vulnerability scanning is enabled
2024-06-11T15:17:26+02:00 INFO Secret scanning is enabled
2024-06-11T15:17:26+02:00 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-11T15:17:26+02:00 INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-06-11T15:17:27+02:00 INFO Detected OS family="debian" version="12.5"
2024-06-11T15:17:27+02:00 INFO [debian] Detecting vulnerabilities... os_version="12" pkg_num=3
2024-06-11T15:17:27+02:00 INFO Number of language-specific files num=1
2024-06-11T15:17:27+02:00 INFO [gobinary] Detecting vulnerabilities...
quay.io/giantswarm/starboard-exporter:0.7.10 (debian 12.5)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
manager (gobinary)
Total: 5 (UNKNOWN: 2, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
┌───────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├───────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/aquasecurity/trivy │ CVE-2024-35192 │ MEDIUM │ fixed │ v0.50.1 │ 0.51.2 │ Trivy possibly leaks registry credential when scanning │
│ │ │ │ │ │ │ images from malicious registries │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-35192 │
├───────────────────────────────┼────────────────┤ │ ├───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-45288 │ │ │ v0.22.0 │ 0.23.0 │ golang: net/http, x/net/http2: unlimited number of │
│ │ │ │ │ │ │ CONTINUATION frames causes DoS │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-45288 │
├───────────────────────────────┼────────────────┼──────────┤ ├───────────────────┼─────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2024-24788 │ HIGH │ │ 1.22.2 │ 1.22.3 │ golang: net: malformed DNS message can cause infinite loop │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24788 │
│ ├────────────────┼──────────┤ │ ├─────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24789 │ UNKNOWN │ │ │ 1.21.11, 1.22.4 │ The archive/zip package's handling of certain types of │
│ │ │ │ │ │ │ invalid zip fil ...... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24789 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2024-24790 │ │ │ │ │ The various Is methods (IsPrivate, IsLoopback, etc) did not │
│ │ │ │ │ │ │ work as ex... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-24790 │
└───────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴─────────────────────────────────────────────────────────────┘
Thank you,
Hi @mcolmant,
Thanks for looking out. As you saw, our automation had already queued up these dependency bumps. They've since been merged and will go out with the next release
Hi @stone-z, thanks for your quick answer!
Do you know when the next release is planned?
Our team will need to fix the High vulnerability as soon as possible.
Thank you
First, I'll give you the obligatory "CVE severity alone isn't a good indication of risk and we typically won't do releases based on that. This exporter uses DNS only to find the API server and if your attacker can manipulate that then this exporter going down is the least of your worries, yadda yadda".
BUT, I had the time and this was ready to go out anyway, so we're cutting a release and it'll be out shortly as v0.7.11
(I'm a security guy and a product guy, please forgive me for both 😄 )
Yeah, you're totally true. But people are getting nervous when the board is showing high vulnerabilities... even if we have good arguments, better to have them fixed if it's easy :)
Thanks a lot for your support!