V1.14.x CVE 2023 45288 #9451

sheidkamp · 2024-05-06T19:57:33Z

Description

Updated bitnami/kubectl in the kubectl Dockerfile from 1.25.15 to 1.27.13 to address CVE-2023-45288. This jump in minor versions was necessary to use images that no longer has CVEs. Kubectl is backwards-compatible 2 versions, so this should be compatible.

Updated CloudBuilder version form 0.7.1 to 0.7.6. This version is already in use in the EE 1.13 branch, added here

"Urgent" changelogs:

https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#urgent-upgrade-notes
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.26.md#urgent-upgrade-notes-1
- autoscaling/v2beta2 is no longer served and is referenced in our code, although it is present in main, which is using 1.28

CVE-2024-26147 has been added to the .trivyignore file. It is being ignored in later versions but had not yet surfaced in this one.

Context

Addressing a CVE

Testing steps

These local scans do not seem to respect the trivyignore file, which was updated to include CVE-2024-26147 and should be ignored. That CVE is present in the current image and the local build, but does not appear in the images built through CI.

Existing versions:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.14.29"; done

Results:

2024-05-08T12:01:24-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:24-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:24-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:24-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:25-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:01:25-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:01:25-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:25-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.14.29 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:01:25-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:26-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:26-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:26-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:26-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:27-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:01:27-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:01:27-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:27-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.14.29 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/envoyinit (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:27-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:27-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:27-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:27-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:28-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:01:28-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:01:28-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:28-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.14.29 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:01:28-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:28-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:28-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:28-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:28-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:31-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:01:31-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:01:31-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:31-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.14.29 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:01:31-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:31-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:31-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:31-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:31-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:32-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:01:32-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:01:32-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:32-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.14.29 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:01:32-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:33-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:33-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:33-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:33-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:34-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:01:34-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:01:34-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:34-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.14.29 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/certgen (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:34-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:34-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:34-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:34-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:35-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:01:35-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:01:35-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:35-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.14.29 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/access-logger (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                       Title                        │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2023-45288 │ HIGH     │ fixed  │ 1.21.5            │ 1.21.9, 1.22.2 │ golang: net/http, x/net/http2: unlimited number of │
│         │                │          │        │                   │                │ CONTINUATION frames causes DoS                     │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2023-45288         │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────┘
2024-05-08T12:01:35-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:01:35-04:00	INFO	Secret scanning is enabled
2024-05-08T12:01:35-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:01:35-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:01:36-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:01:36-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:01:36-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:01:36-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.14.29 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:01:36-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 3 (HIGH: 3, CRITICAL: 0)

┌───────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────┬───────────────────────────────────────────────────────────┐
│      Library      │ Vulnerability  │ Severity │ Status │ Installed Version │          Fixed Version           │                           Title                           │
├───────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ k8s.io/kubernetes │ CVE-2023-5528  │ HIGH     │ fixed  │ v1.25.15          │ 1.28.4, 1.27.8, 1.26.11, 1.25.16 │ kubernetes: Insufficient input sanitization in in-tree    │
│                   │                │          │        │                   │                                  │ storage plugin leads to privilege escalation...           │
│                   │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-5528                 │
├───────────────────┼────────────────┤          │        ├───────────────────┼──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ stdlib            │ CVE-2023-45283 │          │        │ 1.20.10           │ 1.20.11, 1.21.4, 1.20.12, 1.21.5 │ The filepath package does not recognize paths with a \??\ │
│                   │                │          │        │                   │                                  │ prefix as...                                              │
│                   │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45283                │
│                   ├────────────────┤          │        │                   ├──────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                   │ CVE-2023-45288 │          │        │                   │ 1.21.9, 1.22.2                   │ golang: net/http, x/net/http2: unlimited number of        │
│                   │                │          │        │                   │                                  │ CONTINUATION frames causes DoS                            │
│                   │                │          │        │                   │                                  │ https://avd.aquasec.com/nvd/cve-2023-45288                │
└───────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────┴───────────────────────────────────────────────────────────┘

New versions (local)

VERSION=1.14.29-cve make docker -B
for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.14.29-cve"; done

Results of scan

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/xwa8hg1zqzpbnbk2169cht9uw
touch docker-local
2024-05-08T12:03:31-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:31-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:31-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:31-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:31-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:03:31-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:03:31-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:31-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.14.29-cve (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:31-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:32-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:32-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:32-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:32-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:32-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:03:32-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:03:32-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:32-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.14.29-cve (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:32-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:32-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:32-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:32-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:32-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:03:32-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:03:32-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:32-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.14.29-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:32-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:32-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:32-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:32-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:32-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:32-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:03:32-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:03:32-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:32-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.14.29-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:32-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:33-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:33-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:33-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:33-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:33-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:03:33-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:03:33-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:33-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.14.29-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:33-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:33-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:33-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:33-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:33-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:33-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:03:33-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:03:33-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:33-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.14.29-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:33-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:33-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:33-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:33-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:33-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:03:33-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:03:33-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:33-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.14.29-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:34-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:03:34-04:00	INFO	Secret scanning is enabled
2024-05-08T12:03:34-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:03:34-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:03:34-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:03:34-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:03:34-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:03:34-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.14.29-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:03:34-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

Scan images built for this PR0

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.14.29-9451"; done

Results of scan

2024-05-08T12:04:40-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:40-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:40-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:40-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:41-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:04:41-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:04:41-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:41-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.14.29-9451 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:41-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:41-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:41-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:41-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:41-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:42-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-05-08T12:04:42-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-05-08T12:04:42-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:42-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.14.29-9451 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:42-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:42-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:42-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:42-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:43-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:04:43-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:04:43-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:43-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.14.29-9451 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:43-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:44-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:44-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:44-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:44-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:45-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:04:45-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:04:45-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:45-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.14.29-9451 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:45-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:45-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:45-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:45-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:45-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:46-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:04:46-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:04:46-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:46-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.14.29-9451 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:46-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:46-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:46-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:46-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:46-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:47-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:04:47-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:04:47-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.14.29-9451 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:48-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:48-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:48-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:48-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:48-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:04:48-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-05-08T12:04:48-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:48-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.14.29-9451 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:49-04:00	INFO	Vulnerability scanning is enabled
2024-05-08T12:04:49-04:00	INFO	Secret scanning is enabled
2024-05-08T12:04:49-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-08T12:04:49-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-08T12:04:49-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-05-08T12:04:49-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-05-08T12:04:49-04:00	INFO	Number of language-specific files	num=1
2024-05-08T12:04:49-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.14.29-9451 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-05-08T12:04:49-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

BOT NOTES:
resolves #9442

solo-changelog-bot · 2024-05-07T17:41:17Z

Issues linked to changelog:
#9442

nfuden

I dont think the trivy ignore actually does anything for our scheduled job but I dont think that should block this

sheidkamp · 2024-05-09T15:15:54Z

bulldozer?

update cloudbuilder

97b4fb4

sheidkamp added the work in progress signals bulldozer to keep pr open (don't auto-merge) label May 6, 2024

github-actions bot added the keep pr updated signals bulldozer to keep pr up to date with base branch label May 6, 2024

big kubectl bump

4f5b1eb

Update cve-kubctl-update.yaml

77f67e7

sheidkamp changed the title ~~WIP V1.14.x CVE 2023 45288~~ V1.14.x CVE 2023 45288 May 7, 2024

Update cve-kubctl-update.yaml

a8ef577

nfuden previously approved these changes May 8, 2024

View reviewed changes

Update .trivyignore

8c7f084

sheidkamp dismissed nfuden’s stale review via 8c7f084 May 8, 2024 16:05

davidjumani approved these changes May 8, 2024

View reviewed changes

nfuden approved these changes May 9, 2024

View reviewed changes

sheidkamp removed the work in progress signals bulldozer to keep pr open (don't auto-merge) label May 9, 2024

soloio-bulldozer bot merged commit d78ede6 into v1.14.x May 9, 2024
14 checks passed

soloio-bulldozer bot deleted the v1.14.x-CVE-2023-45288 branch May 9, 2024 15:16

sheidkamp mentioned this pull request May 28, 2024

Support per-LTS branch .trivyignore files #9532

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

V1.14.x CVE 2023 45288 #9451

V1.14.x CVE 2023 45288 #9451

sheidkamp commented May 6, 2024 •

edited by solo-changelog-bot bot

Loading

solo-changelog-bot bot commented May 7, 2024

nfuden left a comment

sheidkamp commented May 9, 2024

V1.14.x CVE 2023 45288 #9451

V1.14.x CVE 2023 45288 #9451

Conversation

sheidkamp commented May 6, 2024 • edited by solo-changelog-bot bot Loading

Description

Context

Testing steps

Existing versions:

New versions (local)

Scan images built for this PR0

solo-changelog-bot bot commented May 7, 2024

nfuden left a comment

Choose a reason for hiding this comment

sheidkamp commented May 9, 2024

sheidkamp commented May 6, 2024 •

edited by solo-changelog-bot bot

Loading