Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Keda 2.13.1 Sysdig scan Vulnerabilities CVE-2024-27304 CVE-2024-24786 CVE-2024-28110 CVE-2024-28180 #5660

Closed
Tracked by #5671
amardeep2006 opened this issue Apr 3, 2024 · 6 comments
Closed
Tracked by #5671

Keda 2.13.1 Sysdig scan Vulnerabilities CVE-2024-27304 CVE-2024-24786 CVE-2024-28110 CVE-2024-28180 #5660

amardeep2006 opened this issue Apr 3, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@amardeep2006
Copy link

Report

I scanned keda v 2.13.1 and see following in report.

CVE-2024-27304 in github.com/jackc/pgx/v5 - v5.5.2
CVE-2024-24786 in google.golang.org/protobuf - v1.32.0
CVE-2024-28110 in github.com/cloudevents/sdk-go/v2 - v2.14.0
CVE-2024-28180 in github.com/go-jose/go-jose/v3 - v3.0.1

image

Expected Behavior

There should be no vulnerability if affected packages are bumped up.

Actual Behavior

Sysdig scan fails.

Steps to Reproduce the Problem

Standard scan

Logs from KEDA operator

example

KEDA Version

2.13.1

Kubernetes Version

None

Platform

None

Scaler Details

No response

Anything else?

No response
@amardeep2006 amardeep2006 added the bug Something isn't working label Apr 3, 2024
@JorTurFer
Copy link
Member

Hello @amardeep2006 ,
Thanks for reporting! We don't have plans for any hotfix release for versions v2.13 as the v2.14 will be released this month. Some of the issues are already solved in main (such us this) but it'd be nice if you can test main tag to double check if there are still present on that version.

@amardeep2006
Copy link
Author

Thanks @JorTurFer . I did a rescan of main tag and CVE-2024-28180 in github.com/go-jose/go-jose/v3 - v3.0.1 is fixed.

Here are the Vulnerabilities that still needs to be looked into :

GHSA-mrww-27vc-gghv in github.com/jackc/pgx/v5 - v5.5.2
GHSA-8r3f-844c-mc37 in google.golang.org/protobuf - v1.32.0
GHSA-5pf6-2qwx-pxm2 in github.com/cloudevents/sdk-go/v2 - v2.14.0

image

@amardeep2006
Copy link
Author

keda-metrics-apiserver also needs some dependency bump .

GHSA-mrww-27vc-gghv in github.com/jackc/pgx/v5 - v5.5.2
GHSA-8r3f-844c-mc37 in google.golang.org/protobuf - v1.32.0

image

@zroubalik
Copy link
Member

Thanks for reporting, let's mitigate these in 2.14

@JorTurFer JorTurFer mentioned this issue Apr 9, 2024
Closed
35 tasks
@amardeep2006
Copy link
Author

I am closing this issue as KEDA 2.14.0 has passed the scan. I highly appreciate the remediation. Thanks a lot for the awesome project.

@JorTurFer
Copy link
Member

I am closing this issue as KEDA 2.14.0 has passed the scan. I highly appreciate the remediation. Thanks a lot for the awesome project.

Thank you for checking it and reporting the feedback too! ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Roadmap - KEDA Core
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@zroubalik @JorTurFer @amardeep2006