Report the use of components with vulnerabilities in karmada

[HouqiyuA]

Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.

Qiyu Hou

karmada-master_report.json

[zhzhuang-zju]

@HouqiyuA Thanks for the vulnerability information.

In fact, we have CI to scan for image vulnerabilities to secure karmada's dependencies.

• the yaml of ci can refer to https://github.com/karmada-io/karmada/blob/master/.github/workflows/ci-image-scanning.yaml
• the action of CI can refer to https://github.com/karmada-io/karmada/actions/runs/8997316915

Going back to the vulnerabilities you reported, there are two：

• CVE-2023-47108
  This vulnerability can be fix by bumping go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc to v0.46.0. In fact, we have fixed it in branch master. For details, please refer to Bump Kubernetes dependencies to v1.29.4 #4884

• CVE-2020-8561
  I don't seem to have found a fixed version of this vulnerability, if there is already a solved version, please correct me!

[zhzhuang-zju]

Update:

• [CVE-2020-8561]GHSA-74j8-88mm-7496
  Refer to CVE-2020-8561: Webhook redirect in kube-apiserver kubernetes/kubernetes#104720 (comment) and CVE-2020-8561: Webhook redirect in kube-apiserver kubernetes/kubernetes#104720 (comment), there's not really a code fix to be made for this CVE and if we mitigate this vulnerability, we can ignore this CVE. Since the log level of karmada-apiserver and kube-apiserver is not 10 and we have bump the version of image registry.k8s.io/kube-apiserver to v1.27.11 in branch master, we can ignore this CVE.

In summary, karmada is not affected by these two vulnerabilities in branch master.

/close

[karmada-bot]

@zhzhuang-zju: Closing this issue.

In response to this:

Update:

• [CVE-2020-8561]GHSA-74j8-88mm-7496
  Refer to CVE-2020-8561: Webhook redirect in kube-apiserver kubernetes/kubernetes#104720 (comment) and CVE-2020-8561: Webhook redirect in kube-apiserver kubernetes/kubernetes#104720 (comment), there's not really a code fix to be made for this CVE and if we mitigate this vulnerability, we can ignore this CVE. Since the log level of karmada-apiserver and kube-apiserver is not 10 and we have bump the version of image registry.k8s.io/kube-apiserver to v1.27.11 in branch master, we can ignore this CVE.

In summary, karmada is not affected by these two vulnerabilities in branch master.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.