Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.14 - CVE bitnami/kubernetes and Go bump #9695

Merged
merged 2 commits into from
Jun 28, 2024
Merged

1.14 - CVE bitnami/kubernetes and Go bump #9695

merged 2 commits into from
Jun 28, 2024

Conversation

bewebi
Copy link
Contributor

@bewebi bewebi commented Jun 26, 2024
edited by solo-changelog-bot bot
Loading

Description

Bump bitnami/kubectl image to resolve CVEs and cloud-builders to use latest go1.21

Context

Routine Trivy scans identified CVE-2024-24790 in our images, with issues opened including #9671

Testing steps

I manually tested the latest released images as follows:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.14.30"; done
Results: 
2024-06-26T15:29:52-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:52-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:52-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:52-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:52-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T15:29:52-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T15:29:52-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:52-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.14.30 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:29:52-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:29:53-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:53-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:53-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:53-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:53-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T15:29:53-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T15:29:53-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:53-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.14.30 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/envoyinit (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:29:54-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:54-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:54-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:54-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:54-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:29:54-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:29:54-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:54-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.14.30 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:29:54-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:29:55-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:55-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:55-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:55-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:55-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:29:55-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:29:55-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:55-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.14.30 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:29:55-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:29:56-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:56-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:56-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:56-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:57-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:29:57-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:29:57-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:57-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.14.30 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:29:57-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:29:57-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:57-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:57-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:57-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:58-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:29:58-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:29:58-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:58-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.14.30 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/certgen (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:29:58-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:29:59-04:00	INFO	Secret scanning is enabled
2024-06-26T15:29:59-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:29:59-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:29:59-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:29:59-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:29:59-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:29:59-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.14.30 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/access-logger (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T15:30:00-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:30:00-04:00	INFO	Secret scanning is enabled
2024-06-26T15:30:00-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:30:00-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:30:00-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:30:00-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:30:00-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:30:00-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.14.30 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:30:00-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

I then rebuilt images locally from this branch and scanned them:

VERSION=1.14.30-cve make docker -B
for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.14.30-cve"; done
Results: 
2024-06-26T15:31:05-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:05-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:05-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:05-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:05-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T15:31:05-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T15:31:05-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:05-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.14.30-cve (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:05-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:06-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:06-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:06-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:06-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:06-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T15:31:06-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T15:31:06-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:06-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.14.30-cve (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:06-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:06-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:06-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:06-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:06-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:06-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:31:06-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:06-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.14.30-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:06-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:07-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:07-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:07-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:07-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:07-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:07-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:31:07-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:07-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.14.30-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:07-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:07-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:07-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:07-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:07-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:07-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:07-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:31:07-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:07-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.14.30-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:07-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:08-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:08-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:08-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:08-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:08-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:08-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:31:08-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:08-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.14.30-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:09-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:09-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:09-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:09-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:09-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:09-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:31:09-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:09-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.14.30-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:09-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:09-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:09-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:09-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:09-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:09-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:31:09-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:09-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.14.30-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:09-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

I also scanned the images published for the PR:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.14.30-9695"; done
Results: 
2024-06-26T15:31:47-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:47-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:47-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:47-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:47-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T15:31:47-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T15:31:47-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.14.30-9695 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:47-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:48-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:48-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:48-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:48-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:48-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T15:31:48-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T15:31:48-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:48-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.14.30-9695 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:49-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:49-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:49-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:49-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:49-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:49-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:31:49-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:49-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.14.30-9695 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:49-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:50-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:50-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:50-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:50-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:50-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:50-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:31:50-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:50-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.14.30-9695 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:51-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:51-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:51-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:51-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:51-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:52-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:52-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:31:52-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:52-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.14.30-9695 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:52-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T15:31:52-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:52-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:52-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:52-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:53-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:53-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:31:53-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:53-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.14.30-9695 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:53-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:53-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:53-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:53-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:54-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:54-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T15:31:54-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:54-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.14.30-9695 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:54-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T15:31:54-04:00	INFO	Secret scanning is enabled
2024-06-26T15:31:54-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T15:31:54-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T15:31:55-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T15:31:55-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T15:31:55-04:00	INFO	Number of language-specific files	num=1
2024-06-26T15:31:55-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.14.30-9695 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T15:31:55-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Note that the following CVEs from the trivyignore in main need to be present in the trivyignore when scanning these images:

CVE-2024-26147
CVE-2023-2253

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

BOT NOTES:
resolves solo-io#9671

@bewebi bewebi added the work in progress signals bulldozer to keep pr open (don't auto-merge) label Jun 26, 2024
@github-actions github-actions bot added the keep pr updated signals bulldozer to keep pr up to date with base branch label Jun 26, 2024
@solo-changelog-bot
Copy link

Issues linked to changelog:
solo-io#9671

@bewebi bewebi removed the work in progress signals bulldozer to keep pr open (don't auto-merge) label Jun 26, 2024
@soloio-bulldozer soloio-bulldozer bot merged commit 443933d into v1.14.x Jun 28, 2024
15 checks passed
@soloio-bulldozer soloio-bulldozer bot deleted the cve-1.14.30-cve branch June 28, 2024 14:50
@bewebi bewebi mentioned this pull request Jun 28, 2024
Closed
@github-actions github-actions bot mentioned this pull request Nov 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenshu jenshu jenshu approved these changes

@nfuden nfuden nfuden approved these changes

Assignees
No one assigned
Labels
keep pr updated signals bulldozer to keep pr up to date with base branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bewebi @jenshu @nfuden