Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1.13 - CVE Go bump #9697

Merged
merged 3 commits into from
Jun 28, 2024
Merged

1.13 - CVE Go bump #9697

merged 3 commits into from
Jun 28, 2024

Conversation

bewebi
Copy link
Contributor

@bewebi bewebi commented Jun 26, 2024
edited by solo-changelog-bot bot
Loading

Description

Bump cloud-builders to use latest go1.21

Context

Routine Trivy scans identified CVE-2024-24790 in our images, with issues opened including #9672

The CVE is also present in bitnami/kubectl however there is not a version of that image available with the CVE that is compatible with Gloo 1.13
An entry for the CVE is being added to the trivyignore in main explaining this

Testing steps

I manually tested the latest released images as follows:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.13.37"; done
Results: 
2024-06-26T17:00:33-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:33-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:33-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:33-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:34-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T17:00:34-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T17:00:34-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:34-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.13.37 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:00:34-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/gloo (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:35-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:35-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:35-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:35-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:35-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T17:00:35-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T17:00:35-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:35-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.13.37 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/envoyinit (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:36-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:36-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:36-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:36-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:36-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:00:36-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T17:00:36-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:36-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:00:36-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/discovery (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:37-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:37-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:37-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:37-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:37-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:00:37-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T17:00:37-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:37-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:00:37-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/ingress (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:38-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:38-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:38-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:38-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:38-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:00:38-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T17:00:38-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:38-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:00:38-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/sds (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:39-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:39-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:39-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:39-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:39-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:00:39-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T17:00:39-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:39-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/certgen (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:40-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:40-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:40-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:40-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:41-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:00:41-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T17:00:41-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:41-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/access-logger (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-26T17:00:41-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:00:41-04:00	INFO	Secret scanning is enabled
2024-06-26T17:00:41-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:00:41-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:00:42-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:00:42-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T17:00:42-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:00:42-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:00:42-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.6            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

I then rebuilt images locally from this branch and scanned them:

VERSION=1.13.37-cve make docker -B
for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.13.37-cve"; done
Results: 
2024-06-26T17:05:16-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:16-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:16-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:16-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:16-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T17:05:16-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T17:05:16-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:16-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.13.37-cve (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:16-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T17:05:16-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:16-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:16-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:16-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:16-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-26T17:05:16-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-26T17:05:16-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:16-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.13.37-cve (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:17-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:17-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:17-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:17-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:17-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:05:17-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T17:05:17-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:17-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.13.37-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:17-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T17:05:17-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:17-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:17-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:17-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:17-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:05:17-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T17:05:17-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:17-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.13.37-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:17-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T17:05:18-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:18-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:18-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:18-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:18-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:05:18-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T17:05:18-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:18-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.13.37-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:18-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-26T17:05:19-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:19-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:19-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:19-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:19-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:05:19-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T17:05:19-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:19-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.13.37-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:19-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:19-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:19-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:19-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:19-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:05:19-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-26T17:05:19-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:19-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.13.37-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:20-04:00	INFO	Vulnerability scanning is enabled
2024-06-26T17:05:20-04:00	INFO	Secret scanning is enabled
2024-06-26T17:05:20-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-26T17:05:20-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-26T17:05:22-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-26T17:05:22-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-26T17:05:22-04:00	INFO	Number of language-specific files	num=1
2024-06-26T17:05:22-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.13.37-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-26T17:05:22-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.6            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

I also scanned the images published for the PR:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.13.37-9697"; done
Results: 
2024-06-27T02:22:38-04:00	INFO	Need to update DB
2024-06-27T02:22:38-04:00	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
49.31 MiB / 49.31 MiB [--------------------------------------------------------------------------] 100.00% 6.33 MiB p/s 8.0s
2024-06-27T02:22:47-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:22:47-04:00	INFO	Secret scanning is enabled
2024-06-27T02:22:47-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:22:47-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:22:53-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-27T02:22:53-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-27T02:22:53-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:22:53-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.13.37-9697 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:22:53-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-27T02:22:53-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:22:53-04:00	INFO	Secret scanning is enabled
2024-06-27T02:22:53-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:22:53-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:22:57-04:00	INFO	Detected OS	family="alpine" version="3.17.5"
2024-06-27T02:22:57-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=20
2024-06-27T02:22:57-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:22:57-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.13.37-9697 (alpine 3.17.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:22:58-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:22:58-04:00	INFO	Secret scanning is enabled
2024-06-27T02:22:58-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:22:58-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:23:03-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-27T02:23:03-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-27T02:23:03-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:23:03-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.13.37-9697 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:23:03-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-27T02:23:04-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:23:04-04:00	INFO	Secret scanning is enabled
2024-06-27T02:23:04-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:23:04-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:23:09-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-27T02:23:09-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-27T02:23:09-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:23:09-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.13.37-9697 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:23:09-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-27T02:23:09-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:23:09-04:00	INFO	Secret scanning is enabled
2024-06-27T02:23:09-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:23:09-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:23:13-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-27T02:23:13-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-27T02:23:13-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:23:13-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.13.37-9697 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:23:13-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.
2024-06-27T02:23:14-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:23:14-04:00	INFO	Secret scanning is enabled
2024-06-27T02:23:14-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:23:14-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:23:18-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-27T02:23:18-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-27T02:23:18-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:23:18-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.13.37-9697 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:23:19-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:23:19-04:00	INFO	Secret scanning is enabled
2024-06-27T02:23:19-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:23:19-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:23:23-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-27T02:23:23-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-27T02:23:23-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:23:23-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.13.37-9697 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:23:23-04:00	INFO	Vulnerability scanning is enabled
2024-06-27T02:23:23-04:00	INFO	Secret scanning is enabled
2024-06-27T02:23:23-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-27T02:23:23-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-27T02:23:27-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-27T02:23:27-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-27T02:23:27-04:00	INFO	Number of language-specific files	num=1
2024-06-27T02:23:27-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.13.37-9697 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-27T02:23:27-04:00	INFO	Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

usr/local/bin/kubectl (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.20.6            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

Note that the following CVEs from the trivyignore in main need to be present in the trivyignore when scanning these images:

CVE-2024-26147
CVE-2023-2253
CVE-2023-39325
CVE-2023-45283
CVE-2023-45288

Also note that the kubectl image still has the CVE as called out above and will be ignored moving forward

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

BOT NOTES:
resolves #9672

@github-actions github-actions bot added the keep pr updated signals bulldozer to keep pr up to date with base branch label Jun 26, 2024
@solo-changelog-bot
Copy link

Issues linked to changelog:
#9672

@soloio-bulldozer soloio-bulldozer bot merged commit 427c79a into v1.13.x Jun 28, 2024
15 checks passed
@soloio-bulldozer soloio-bulldozer bot deleted the cve-1.13.37 branch June 28, 2024 14:50
@bewebi bewebi mentioned this pull request Jun 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenshu jenshu jenshu approved these changes

@nfuden nfuden nfuden approved these changes

Assignees
No one assigned
Labels
keep pr updated signals bulldozer to keep pr up to date with base branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bewebi @jenshu @nfuden