Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image scanning has detected CRITICAL vulnerabilities #36

Open
GiuseppeChiesa-TomTom opened this issue Jun 15, 2023 · 3 comments
Open

Image scanning has detected CRITICAL vulnerabilities #36

GiuseppeChiesa-TomTom opened this issue Jun 15, 2023 · 3 comments
Labels
bug Something isn't working

Comments

@GiuseppeChiesa-TomTom
Copy link

Summary

As part of our onboarding process we scan for fixable critical vulnerabilities the image we consume.
We detected the lates version of argocd-extensions version v0.2.1 contains critical vulnerabilities

Diagnostics

❯ docker run aquasec/trivy image --ignore-unfixed --exit-code 1 --severity CRITICAL ghcr.io/argoproj-labs/argocd-extensions:v0.2.1
2023-06-15T13:53:41.538Z        INFO    Need to update DB
2023-06-15T13:53:41.538Z        INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-15T13:53:41.538Z        INFO    Downloading DB...
2023-06-15T13:53:51.129Z       INFO    Vulnerability scanning is enabled
2023-06-15T13:53:51.129Z        INFO    Secret scanning is enabled
2023-06-15T13:53:51.129Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-15T13:53:51.129Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-15T13:53:58.777Z        INFO    Detected OS: alpine
2023-06-15T13:53:58.777Z        INFO    Detecting Alpine vulnerabilities...
2023-06-15T13:53:58.779Z        INFO    Number of language-specific files: 1
2023-06-15T13:53:58.779Z        INFO    Detecting gobinary vulnerabilities...

ghcr.io/argoproj-labs/argocd-extensions:v0.2.1 (alpine 3.16.2)
==============================================================
Total: 7 (CRITICAL: 7)

┌────────────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│        Library         │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ git                    │ CVE-2022-23521 │ CRITICAL │ 2.36.3-r0         │ 2.36.4-r0     │ git: gitattributes parsing integer overflow               │
│                        │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-23521                │
│                        ├────────────────┤          │                   │               ├───────────────────────────────────────────────────────────┤
│                        │ CVE-2022-41903 │          │                   │               │ git: Heap overflow in `git archive`, `git log --format`   │
│                        │                │          │                   │               │ leading to RCE...                                         │
│                        │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41903                │
├────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ libcurl                │ CVE-2023-23914 │          │ 7.83.1-r4         │ 7.83.1-r6     │ HSTS ignored on multiple requests                         │
│                        │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-23914                │
│                        ├────────────────┤          │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│                        │ CVE-2023-28322 │          │                   │ 8.1.0-r0      │ more POST-after-PUT confusion                             │
│                        │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28322                │
├────────────────────────┼────────────────┤          ├───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ openssh-client-common  │ CVE-2023-28531 │          │ 9.0_p1-r2         │ 9.0_p1-r3     │ openssh: smartcard keys to ssh-agent without the intended │
│                        │                │          │                   │               │ per-hop destination constraints.                          │
│                        │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2023-28531                │
├────────────────────────┤                │          │                   │               │                                                           │
│ openssh-client-default │                │          │                   │               │                                                           │
│                        │                │          │                   │               │                                                           │
│                        │                │          │                   │               │                                                           │
├────────────────────────┤                │          │                   │               │                                                           │
│ openssh-keygen         │                │          │                   │               │                                                           │
│                        │                │          │                   │               │                                                           │
│                        │                │          │                   │               │                                                           │
└────────────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

Message from the maintainers:

Impacted by this bug? Give it a 👍. We prioritise the issues with the most 👍.
@GiuseppeChiesa-TomTom GiuseppeChiesa-TomTom added the bug Something isn't working label Jun 15, 2023
@jcogilvie
Copy link

This repo is built on alpine:latest. I just built locally and the scan passed. It seems like the only thing we need is a new build of the same code.

@zachaller can we get a rebuild released?

@fletch3555
Copy link

This repo is built on alpine:latest. I just built locally and the scan passed. It seems like the only thing we need is a new build of the same code.

@zachaller can we get a rebuild released?

Just bumping this as it's been 7 weeks since the request, and nearly 5 months since the original report. I'm running into the same issue now and it's blocking progress. If there's anything I can do to help, please let me know.

@fletch3555
Copy link

Welp, answer provided! https://github.com/argoproj-labs/argocd-extensions/blob/main/README.md#deprecation-notice

Good news is that the switch was incredibly easy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jcogilvie @fletch3555 @GiuseppeChiesa-TomTom