Please cut and release a new version
richgerrard opened this issue · 2 comments
richgerrard commented
Describe the feature
A new release - last release was in February.
Optional: Is your feature request related to a problem? Please describe.
Yes, you are accumulating many CVEs with fixes available. Building and releasing is bound to fix a great many
Optional: Implementation ideas
-build
-cut
-release
Optional: Additional context
| Repository | CVE ID | Type | Severity | Packages | Source Package | Package Version | CVSS | Fix Status |
|---|---|---|---|---|---|---|---|---|
| securesystemsengineering/connaisseur | CVE-2023-29491 | OS | high | ncurses-libs,ncurses-terminfo-base | ncurses | 6.3_p20221119-r0 | 7.8 | fixed in 6.3_p20221119-r1 |
| securesystemsengineering/connaisseur | CVE-2022-1304 | OS | high | libcom_err | e2fsprogs | 1.46.5-r4 | 7.8 | fixed in 1.46.6-r0 |
| securesystemsengineering/connaisseur | CVE-2023-0464 | OS | high | libssl3,libcrypto3 | openssl | 3.0.8-r0 | 7.5 | fixed in 3.0.8-r1 |
| securesystemsengineering/connaisseur | CVE-2023-0466 | OS | medium | libssl3,libcrypto3 | openssl | 3.0.8-r0 | 5.3 | fixed in 3.0.8-r3 |
| securesystemsengineering/connaisseur | CVE-2023-0465 | OS | medium | libssl3,libcrypto3 | openssl | 3.0.8-r0 | 5.3 | fixed in 3.0.8-r2 |
| securesystemsengineering/connaisseur | CVE-2023-1255 | OS | medium | libssl3,libcrypto3 | openssl | 3.0.8-r0 | 5.9 | fixed in 3.0.8-r4 |
| securesystemsengineering/connaisseur | CVE-2023-2650 | OS | low | libssl3,libcrypto3 | openssl | 3.0.8-r0 | 0 | fixed in 3.0.9-r0 |
| securesystemsengineering/connaisseur | CVE-2023-32681 | python | moderate | requests | 2.28.2 | 4 | fixed in 2.31.0 | |
| securesystemsengineering/connaisseur | CVE-2023-30861 | python | high | flask | 2.2.3 | 7.5 | fixed in 2.3.2, 2.2.5 | |
| securesystemsengineering/connaisseur | CVE-2023-2253 | go | high | github.com/docker/distribution | v2.8.1 | 7 | fixed in 2.8.2-beta.1 | |
| securesystemsengineering/connaisseur | CVE-2023-28842 | go | moderate | github.com/docker/docker | v20.10.17 | 4 | fixed in 23.0.3, 20.10.24 | |
| securesystemsengineering/connaisseur | CVE-2023-28841 | go | moderate | github.com/docker/docker | v20.10.17 | 4 | fixed in 23.0.3, 20.10.24 | |
| securesystemsengineering/connaisseur | CVE-2023-28840 | go | high | github.com/docker/docker | v20.10.17 | 7 | fixed in 23.0.3, 20.10.24 | |
| securesystemsengineering/connaisseur | PRISMA-2022-0270 | go | medium | github.com/golang-jwt/jwt/v4 | v4.4.2 | 5.4 | fixed in v4.4.3 | |
| securesystemsengineering/connaisseur | CVE-2023-30551 | go | high | github.com/sigstore/rekor | v0.12.1-0.20220915152154-4bb6f441c1b2 | 7 | fixed in 1.1.1 | |
| securesystemsengineering/connaisseur | CVE-2023-33199 | go | moderate | github.com/sigstore/rekor | v0.12.1-0.20220915152154-4bb6f441c1b2 | 4 | fixed in 1.2.0 | |
| securesystemsengineering/connaisseur | CVE-2022-41723 | go | high | golang.org/x/net | v0.0.0-20221012135044-0b7e1fb9d458 | 7 | fixed in 0.7.0 | |
| securesystemsengineering/connaisseur | CVE-2022-41717 | go | moderate | golang.org/x/net/http2 | v0.0.0-20221012135044-0b7e1fb9d458 | 4 | fixed in 0.4.0 | |
| securesystemsengineering/connaisseur | CVE-2022-32149 | go | high | golang.org/x/text/language | v0.3.8-0.20211004125949-5bd84dd9b33b | 7 | fixed in 0.3.8 | |
| securesystemsengineering/connaisseur | CVE-2023-29400 | binary | high | go | 1.19.2 | 7.3 | fixed in 1.20.4, 1.19.9 | |
| securesystemsengineering/connaisseur | CVE-2022-41725 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.19.6 | |
| securesystemsengineering/connaisseur | CVE-2023-24534 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.20.3, 1.19.8 | |
| securesystemsengineering/connaisseur | CVE-2023-24537 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.20.3, 1.19.8 | |
| securesystemsengineering/connaisseur | CVE-2023-24538 | binary | critical | go | 1.19.2 | 9.8 | fixed in 1.20.3, 1.19.8 | |
| securesystemsengineering/connaisseur | CVE-2023-24539 | binary | high | go | 1.19.2 | 7.3 | fixed in 1.20.4, 1.19.9 | |
| securesystemsengineering/connaisseur | CVE-2022-41716 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.19.3, 1.18.8 | |
| securesystemsengineering/connaisseur | CVE-2023-24536 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.20.3, 1.19.8 | |
| securesystemsengineering/connaisseur | CVE-2022-41724 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.19.6 | |
| securesystemsengineering/connaisseur | CVE-2023-24532 | binary | medium | go | 1.19.2 | 5.3 | fixed in 1.20.2, 1.19.7 | |
| securesystemsengineering/connaisseur | CVE-2022-41717 | binary | medium | go | 1.19.2 | 5.3 | fixed in 1.19.4, 1.18.9 | |
| securesystemsengineering/connaisseur | CVE-2022-41723 | binary | high | go | 1.19.2 | 7.5 | fixed in 1.19.6 | |
| securesystemsengineering/connaisseur | CVE-2023-24540 | binary | critical | go | 1.19.2 | 9.8 | fixed in 1.20.4, 1.19.9 |
xopham commented
@richgerrard thanks for reaching out 🙏 The team is cutting a release as we speak.
We are monitoring vulnerabilities and try to release whenever fixes become available. However, as this is a community project and we have been very busy and at the same time trying to roll two major changes to connaisseur (CI/CD and all new interface), we have not managed to be as active as hoped.
richgerrard commented
I love you, team!
These are my latest scan results with the new image, and we can close this issue. Thank you again!
Scan results for image securesystemsengineering/connaisseur:v2.8.1 sha256:e82011ebe657734290220ddf9a99c64f8edd7eda8cb961398e774b413877de21
Vulnerabilities found for image securesystemsengineering/connaisseur:v2.8.1: total - 0, critical - 0, high - 0, medium - 0, low - 0
Vulnerability threshold check results: PASS
Compliance found for image securesystemsengineering/connaisseur:v2.8.1: total - 0, critical - 0, high - 0, medium - 0, low - 0
Compliance threshold check results: PASS