Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crticial vulnerabilities on netshoot image #111

Open
Dentrax opened this issue Jun 27, 2022 · 6 comments
Open

Crticial vulnerabilities on netshoot image #111

Dentrax opened this issue Jun 27, 2022 · 6 comments

Comments

@Dentrax
Copy link

Dentrax commented Jun 27, 2022

I scanned netshoot image with Gyrpe and it found some critical vulns. Are there any plan to mitigate these? It would be nice to have a scheduled action that scans the image for vulns.

NAME                                  INSTALLED                                                  FIXED-IN   TYPE       VULNERABILITY        SEVERITY
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-28615       Critical
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-30556       High
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-31813       Critical
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-26377       High
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-28330       Medium
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-30522       High
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-28614       Medium
apache2-utils                         2.4.53-r0                                                  2.4.54-r0  apk        CVE-2022-29404       High
flock                                 2.38-r1                                                               apk        CVE-2010-3262        Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.12     go-module  GHSA-5j5w-g665-5m35  Low
github.com/containerd/containerd      v1.4.1                                                     1.4.11     go-module  GHSA-c2h3-6mxw-7mvq  Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.8      go-module  GHSA-c72p-9xmj-rx3w  Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.13     go-module  GHSA-crp2-qrr5-8pq7  High
github.com/containerd/containerd      v1.4.1                                                     1.5.13     go-module  GHSA-5ffw-gxpp-mxpf  Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.3      go-module  GHSA-36xw-fx78-c5r4  Medium
github.com/docker/docker              v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible             go-module  CVE-2021-21285       Medium
github.com/docker/docker              v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible             go-module  CVE-2021-21284       Medium
github.com/gogo/protobuf              v1.3.1                                                     1.3.2      go-module  GHSA-c3h9-896r-86jm  High
github.com/influxdata/influxdb        v0.0.0-20190102202943-dd481f35df2c                                    go-module  CVE-2018-17572       Medium
github.com/influxdata/influxdb        v0.0.0-20190102202943-dd481f35df2c                                    go-module  CVE-2019-20933       Critical
github.com/opencontainers/image-spec  v1.0.1                                                     1.0.2      go-module  GHSA-77vh-xpmg-72qh  Low
github.com/opencontainers/runc        v1.0.3                                                     1.1.2      go-module  GHSA-f3fp-gc8g-vw66  Medium
github.com/projectcalico/calico       (devel)                                                               go-module  CVE-2020-13597       Low
go.etcd.io/etcd                       v0.5.0-alpha.5.0.20201125193152-8a03d2e9614b               3.4.0      go-module  GHSA-wf43-55jj-vwq8  Medium
google.golang.org/protobuf            v1.26.0                                                               go-module  CVE-2021-22570       High
google.golang.org/protobuf            v1.26.0                                                               go-module  CVE-2015-5237        High
httpie                                3.2.1                                                                 python     CVE-2019-10751       High
pcre2                                 10.39-r0                                                   10.40-r0   apk        CVE-2022-1587        Critical
pcre2                                 10.39-r0                                                   10.40-r0   apk        CVE-2022-1586        Critical
scapy                                 git-archive.dev8b63d73a172                                 2.4.1      python     GHSA-mpf2-q34c-fc6j  High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1735        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1785        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1851        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1769        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1771        Medium
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1927        Critical
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1796        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1898        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1886        High
vim                                   8.2.4969-r0                                                           apk        CVE-2022-1942        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1769        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1942        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1851        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1785        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1796        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1927        Critical
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1886        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1735        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1898        High
xxd                                   8.2.4969-r0                                                           apk        CVE-2022-1771        Medium
@nicolaka
Copy link
Owner

please re run test with latest image ( v0.7) as I upgraded to alpine 3.16

@Dentrax
Copy link
Author

Dentrax commented Jun 28, 2022

It seems most of these are fixed 👍

NAME                                  INSTALLED                                                  FIXED-IN  TYPE       VULNERABILITY        SEVERITY
flock                                 2.38-r2                                                              apk        CVE-2010-3262        Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.3     go-module  GHSA-36xw-fx78-c5r4  Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.8     go-module  GHSA-c72p-9xmj-rx3w  Medium
github.com/containerd/containerd      v1.4.1                                                     1.5.13    go-module  GHSA-5ffw-gxpp-mxpf  Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.11    go-module  GHSA-c2h3-6mxw-7mvq  Medium
github.com/containerd/containerd      v1.4.1                                                     1.4.13    go-module  GHSA-crp2-qrr5-8pq7  High
github.com/containerd/containerd      v1.4.1                                                     1.4.12    go-module  GHSA-5j5w-g665-5m35  Low
github.com/docker/docker              v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible            go-module  CVE-2021-21284       Medium
github.com/docker/docker              v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible            go-module  CVE-2021-21285       Medium
github.com/gogo/protobuf              v1.3.1                                                     1.3.2     go-module  GHSA-c3h9-896r-86jm  High
github.com/influxdata/influxdb        v0.0.0-20190102202943-dd481f35df2c                                   go-module  CVE-2018-17572       Medium
github.com/influxdata/influxdb        v0.0.0-20190102202943-dd481f35df2c                                   go-module  CVE-2019-20933       Critical
github.com/opencontainers/image-spec  v1.0.1                                                     1.0.2     go-module  GHSA-77vh-xpmg-72qh  Low
github.com/opencontainers/runc        v1.0.3                                                     1.1.2     go-module  GHSA-f3fp-gc8g-vw66  Medium
github.com/projectcalico/calico       (devel)                                                              go-module  CVE-2020-13597       Low
go.etcd.io/etcd                       v0.5.0-alpha.5.0.20201125193152-8a03d2e9614b               3.4.0     go-module  GHSA-wf43-55jj-vwq8  Medium
google.golang.org/protobuf            v1.26.0                                                              go-module  CVE-2021-22570       High
google.golang.org/protobuf            v1.26.0                                                              go-module  CVE-2015-5237        High
httpie                                3.2.1                                                                python     CVE-2019-10751       High
scapy                                 git-archive.dev8b63d73a172                                 2.4.1     python     GHSA-mpf2-q34c-fc6j  High

@programmer04
Copy link
Contributor

Let's maybe consider configuring Dependabot for keeping dependency like a base image up to date

@nicolaka
Copy link
Owner

@programmer04 any chance you can submit a PR ?

@Dentrax
Copy link
Author

Dentrax commented Aug 16, 2022

I can also add some security scanning stuff in the pipeline. I can file an issue for this if you want.

@programmer04 programmer04 mentioned this issue Aug 16, 2022
Merged
@programmer04
Copy link
Contributor

Sure, I've just created the PR @nicolaka #113.

I think that adding security scanning is a good idea @Dentrax (e.g. once a day to detect the newest reported vulnerabilities)! GitHub unfortunately does not support Docker images in their dependency graph so security vulnerabilities are not reported automatically.

@gberche-orange gberche-orange mentioned this issue Dec 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@programmer04 @nicolaka @Dentrax