Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report the use of components with vulnerabilities in spiderpool #3472

Open
HouqiyuA opened this issue May 8, 2024 · 5 comments · May be fixed by #3519
Open

Report the use of components with vulnerabilities in spiderpool #3472

HouqiyuA opened this issue May 8, 2024 · 5 comments · May be fixed by #3519
Assignees
@cyclinder
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/bug

Comments

@HouqiyuA
Copy link

HouqiyuA commented May 8, 2024

Spiderpool Version

v1.0.0

Bug Type

Other

Main CNI

None

What happened?

Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.

Qiyu Hou

spiderpool-main_report.json

What did you expect to happen?

None

How to reproduce it (as minimally and precisely as possible)

None

Additional Context

None
@cyclinder
Copy link
Collaborator

Hi @HouqiyuA, Thanks for your report. Is the issue duplicated with #3420?

@HouqiyuA
Copy link
Author

HouqiyuA commented May 8, 2024 via email

@cyclinder
Copy link
Collaborator

Thanks @HouqiyuA, It seems these components with vulnerabilities come from cilium, we just referenced it. Will upstream of cilium fix these vulnerabilities?

@HouqiyuA
Copy link
Author

HouqiyuA commented May 9, 2024 via email

@cyclinder
Copy link
Collaborator

Spiderpool doesn't use cilium directly, or only a tiny part of it, so it has a limited reach, but upgrading the cilium version is good, so I'll be upgrading it later.

@cyclinder cyclinder added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label May 10, 2024
@cyclinder cyclinder linked a pull request May 24, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cyclinder cyclinder

Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

go.mod: bump cilium dependencies cyclinder/spiderpool
2 participants
@cyclinder @HouqiyuA