Upgrade kubernetes dependeny to fix CVE Warnings

Question

Upgrade kubernetes dependeny to fix CVE Warnings

johgoe opened this issue 4 years ago · 4 comments

Please update and release a new version of nats-operator which upgrades the kubernetes dependency.

Turns out nats-operator is using kubernetes 1.15.2 as a dependency and that is causing the security scan to fail in the >job as it is shown here:

"scan": {
"status": "Vulns",
"message": "There are some expired vulnerabilities",
"protecodeID": "579046"
}

The security issue with Kubernetes 1.15.2 is https://nvd.nist.gov/vuln/detail/CVE-2020-8558.

Answer 1 · 2021-06-09T23:56:03.000Z

Thanks, will see if can fix tomorrow.

Answer 2 · 2021-06-29T17:10:18.000Z

Sorry for the delay, a bit stuck figuring out this error updating the dependencies... Continue to investigate... Trying out with the go.mod from sample-controller: https://github.com/kubernetes/sample-controller/blob/master/go.mod

go: k8s.io/kubernetes@v1.21.2 requires
	k8s.io/apiextensions-apiserver@v0.0.0: reading k8s.io/apiextensions-apiserver/go.mod at revision v0.0.0: unknown revision v0.0.0

Answer 3 · 2021-08-21T20:49:44.000Z

I'm not knowing a lot about Go but seems like this adresses a similar issue kyma-project/kyma#11920

Answer 4 · 2021-09-29T00:11:09.000Z

Kubernetes dependencies are now at 1.22.2 as of #336.
Closing for now.