Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Advisories for latest node-problem-detector version #203

Merged
merged 2 commits into from
Aug 28, 2023
Merged

Advisories for latest node-problem-detector version #203

merged 2 commits into from
Aug 28, 2023

Conversation

pdeslaur
Copy link
Collaborator

@pdeslaur pdeslaur commented Aug 27, 2023
edited
Loading

We picked up version 0.8.14, which fixes a few true positives we've been tracking: wolfi-dev/os#4840

Note that CVE-2020-8565 is now incorrectly reported on our package. Per k8s, Kubernetes is affected until v1.17.13, and our newer version of the package is now at v1.17.17 (reported as v0.17.17 b/c that's how the library version is setup)

It'd be great to encode more information in our future of advisories.

wolfictl scan =(curl -sL https://packages.wolfi.dev/os/x86_64/node-problem-detector-0.8.14-r0.apk)
Will process: zshuRKwOc
└── 📄 /usr/bin/node-problem-detector
        📦 k8s.io/client-go v0.17.17 (go-module)
            Medium CVE-2020-8565 GHSA-8cfg-vx93-jvxw fixed in 0.20.0-alpha.2

@luhring
Copy link
Member

luhring commented Aug 28, 2023

It'd be great to encode more information in our future of advisories.

What did you have in mind?

@pdeslaur
Copy link
Collaborator Author

What did you have in mind?

I considered adding prose to the fixed status to indicate this vulnerability is displayed as a false positive, even after the fix is applied. Maybe it's already implicit in the fixed status.

@pdeslaur pdeslaur added this pull request to the merge queue Aug 28, 2023
Merged via the queue into wolfi-dev:main with commit 169ea11 Aug 28, 2023
@pdeslaur pdeslaur deleted the node-problem-detector branch August 28, 2023 19:05
@luhring
Copy link
Member

luhring commented Aug 28, 2023

I considered adding prose to the fixed status to indicate this vulnerability is displayed as a false positive, even after the fix is applied. Maybe it's already implicit in the fixed status.

Yeah, if I'm understanding the situation correctly, I think there's nothing more we can/should do there. This would be a bug in the scanner

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpanato cpanato cpanato approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pdeslaur @luhring @cpanato