Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update photon 4.0 image to resolve CVEs #539

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update photon 4.0 image to resolve CVEs #539

wants to merge 1 commit into from

Conversation

deepakkinni
Copy link
Collaborator

@deepakkinni deepakkinni commented Jun 27, 2023
edited
Loading

What this PR does / why we need it:
Resolve CVE-2023-2603

Which issue(s) this PR fixes:

Fixes #

Testing:
Scan Results:

❯ docker run aquasec/trivy image harbor-repo.vmware.com/dkinni/velero-plugin-for-vsphere:cve_fix_v1-96b0940-26.Jun.2023.21.08.24
2023-06-27T04:29:31.374Z	INFO	Need to update DB
2023-06-27T04:29:31.374Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-06-27T04:29:31.374Z	INFO	Downloading DB...
8.10 MiB / 37.87 MiB [------------->________________________________________________] 21.39% ? p/s ?20.39 MiB / 37.87 MiB [-------------------------------->____________________________] 53.85% ? p/s ?35.09 MiB / 37.87 MiB [-------------------------------------------------------->____] 92.67% ? p/s ?37.87 MiB / 37.87 MiB [---------------------------------------------->] 100.00% 49.61 MiB p/s ETA 0s37.87 MiB / 37.87 MiB [---------------------------------------------->] 100.00% 49.61 MiB p/s ETA 0s37.87 MiB / 37.87 MiB [---------------------------------------------->] 100.00% 49.61 MiB p/s ETA 0s37.87 MiB / 37.87 MiB [---------------------------------------------->] 100.00% 46.41 MiB p/s ETA 0s37.87 MiB / 37.87 MiB [---------------------------------------------->] 100.00% 46.41 MiB p/s ETA 0s37.87 MiB / 37.87 MiB [---------------------------------------------->] 100.00% 46.41 MiB p/s ETA 0s37.87 MiB / 37.87 MiB [-------------------------------------------------] 100.00% 22.60 MiB p/s 1.9s2023-06-27T04:29:34.500Z	INFO	Vulnerability scanning is enabled
2023-06-27T04:29:34.500Z	INFO	Secret scanning is enabled
2023-06-27T04:29:34.500Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-27T04:29:34.500Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.41/docs/secret/scanning/#recommendation for faster secret detection
2023-06-27T04:29:45.744Z	INFO	Detected OS: photon
2023-06-27T04:29:45.744Z	INFO	Detecting Photon Linux vulnerabilities...
2023-06-27T04:29:45.745Z	INFO	Number of language-specific files: 3
2023-06-27T04:29:45.745Z	INFO	Detecting gobinary vulnerabilities...

harbor-repo.vmware.com/dkinni/velero-plugin-for-vsphere:cve_fix_v1-96b0940-26.Jun.2023.21.08.24 (photon 4.0)
============================================================================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)


backup-driver (gobinary)
========================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.207         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

data-manager-for-plugin (gobinary)
==================================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.207         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

plugins/velero-plugin-for-vsphere (gobinary)
============================================
Total: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌───────────────────────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────────┐
│          Library          │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                           Title                            │
├───────────────────────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────────┤
│ github.com/aws/aws-sdk-go │ CVE-2020-8911 │ MEDIUM   │ v1.44.207         │               │ aws/aws-sdk-go: CBC padding oracle issue in AWS S3 Crypto  │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8911                  │
│                           ├───────────────┼──────────┤                   ├───────────────┼────────────────────────────────────────────────────────────┤
│                           │ CVE-2020-8912 │ LOW      │                   │               │ aws-sdk-go: In-band key negotiation issue in AWS S3 Crypto │
│                           │               │          │                   │               │ SDK for golang...                                          │
│                           │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2020-8912                  │
└───────────────────────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────────┘

Does this PR introduce a user-facing change?:

Update to photon:4.0-20230603 image

@svcbot-qecnsdp
Copy link

Sorry, some of the pre-check tests are failing for this PR !

Please check the Jenkins job for more details
https://container-dp.svc.eng.vmware.com/job/CNSDP-CI/822/

@lipingxue
Copy link
Collaborator

@deepakkinni Overall change looks good to me. In the scan result, I still see some Medium/Low CVEs. Do we need to fix them or not?

@deepakkinni
Copy link
Collaborator Author

@deepakkinni Overall change looks good to me. In the scan result, I still see some Medium/Low CVEs. Do we need to fix them or not?

These are existing CVEs, since they are LOW and MEDIUM it's not essential to fix them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@deepakkinni @svcbot-qecnsdp @lipingxue