Merge branch 'main' into adv-fix-hubble-ui-backend-0.13.0-r3

Signed-off-by: Carlos Tadeu Panato Junior <ctadeu@gmail.com>

.github/workflows/bigquery-ingestion.yaml

@@ -36,7 +36,7 @@ jobs:
           gcloud run jobs execute --region us-central1 cve-advisory-cron
 
       - name: Post failure notice to Slack
-        uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # ratchet:rtCamp/action-slack-notify@v2.2.1
+        uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0
         if: ${{ failure() }}
         env:
           SLACK_ICON: http://github.com/chainguard-dev.png?size=48

.github/workflows/build-and-publish-osv.yaml

@@ -0,0 +1,43 @@
+name: Build and publish OSV
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build-publish:
+    name: Build and publish OSV
+    runs-on: ubuntu-latest
+    if: github.repository == 'wolfi-dev/advisories'
+
+    permissions:
+      id-token: write
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: wolfi-dev/actions/build-and-publish-osv@main
+        with:
+          workload_identity_provider: "projects/618116202522/locations/global/workloadIdentityPools/prod-shared-e350/providers/prod-shared-gha"
+          service_account: "prod-images-ci@prod-images-c6e5.iam.gserviceaccount.com"
+          gcp_project_id: prod-images-c6e5
+          wolfictl_args: "--ecosystem wolfi --advisories-repo-dir ."
+          gcs_apk_bucket_name: wolfi-production-registry-destination
+          gcs_apk_directory_name: os
+
+      - name: Post failure notice to Slack
+        uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0
+        if: ${{ failure() }}
+        env:
+          SLACK_ICON: http://github.com/chainguard-dev.png?size=48
+          SLACK_USERNAME: guardian
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_CHANNEL: 'eng-squad-lifecycle-alerts'
+          SLACK_COLOR: '#8E1600'
+          MSG_MINIMAL: 'true'
+          SLACK_TITLE: Build/Publish YAML for ${{ github.repository }} failed!
+          SLACK_MESSAGE: |
+            For detailed logs: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}

.github/workflows/build-and-publish-secdb.yaml

@@ -29,7 +29,7 @@ jobs:
           gcs_apk_directory_name: os
 
       - name: Post failure notice to Slack
-        uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # ratchet:rtCamp/action-slack-notify@v2.2.1
+        uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0
         if: ${{ failure() }}
         env:
           SLACK_ICON: http://github.com/chainguard-dev.png?size=48

.github/workflows/build-and-publish-yaml.yaml

@@ -29,7 +29,7 @@ jobs:
           gcs_apk_directory_name: os
 
       - name: Post failure notice to Slack
-        uses: rtCamp/action-slack-notify@b24d75fe0e728a4bf9fc42ee217caa686d141ee8 # ratchet:rtCamp/action-slack-notify@v2.2.1
+        uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 # ratchet:rtCamp/action-slack-notify@v2.3.0
         if: ${{ failure() }}
         env:
           SLACK_ICON: http://github.com/chainguard-dev.png?size=48

aactl.advisories.yaml

@@ -231,6 +231,15 @@ advisories:
         data:
           fixed-version: 0.4.12-r7
 
+  - id: CVE-2024-24557
+    aliases:
+      - GHSA-xw73-rw38-6vjc
+    events:
+      - timestamp: 2024-03-21T11:17:04Z
+        type: fixed
+        data:
+          fixed-version: 0.4.12-r8
+
   - id: CVE-2024-24786
     aliases:
       - GHSA-8r3f-844c-mc37
@@ -247,6 +256,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/aactl
             scanner: grype
+      - timestamp: 2024-03-21T11:17:02Z
+        type: fixed
+        data:
+          fixed-version: 0.4.12-r8
 
   - id: CVE-2024-28180
     aliases:
@@ -269,6 +282,15 @@ advisories:
         data:
           fixed-version: 0.4.12-r7
 
+  - id: CVE-2024-29018
+    aliases:
+      - GHSA-mq39-4gv4-mvpx
+    events:
+      - timestamp: 2024-03-21T07:33:49Z
+        type: fixed
+        data:
+          fixed-version: 0.4.12-r7
+
   - id: GHSA-2c7c-3mj9-8fqh
     events:
       - timestamp: 2024-02-14T10:35:34Z

argo-cd-2.10.advisories.yaml

@@ -4,6 +4,15 @@ package:
   name: argo-cd-2.10
 
 advisories:
+  - id: CVE-2024-21652
+    aliases:
+      - GHSA-x32m-mvfj-52xv
+    events:
+      - timestamp: 2024-03-19T10:19:27Z
+        type: fixed
+        data:
+          fixed-version: 2.10.4-r0
+
   - id: CVE-2024-24786
     aliases:
       - GHSA-8r3f-844c-mc37

argo-cd-2.7.advisories.yaml

@@ -249,6 +249,21 @@ advisories:
             componentLocation: /usr/bin/argocd
             scanner: grype
 
+  - id: GHSA-2vgg-9h6w-m454
+    events:
+      - timestamp: 2024-03-23T07:06:33Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: argo-cd-2.7
+            componentID: 017ef98c4182ad84
+            componentName: github.com/argoproj/argo-cd/v2
+            componentVersion: v2.7.17
+            componentType: go-module
+            componentLocation: /usr/bin/argocd
+            scanner: grype
+
   - id: GHSA-6xv5-86q9-7xr8
     events:
       - timestamp: 2023-09-09T15:17:59Z

argo-workflows.advisories.yaml

@@ -42,6 +42,15 @@ advisories:
         data:
           fixed-version: 3.5.2-r3
 
+  - id: CVE-2024-24557
+    aliases:
+      - GHSA-xw73-rw38-6vjc
+    events:
+      - timestamp: 2024-03-22T09:21:48Z
+        type: fixed
+        data:
+          fixed-version: 3.5.5-r4
+
   - id: CVE-2024-24786
     aliases:
       - GHSA-8r3f-844c-mc37
@@ -58,6 +67,10 @@ advisories:
             componentType: go-module
             componentLocation: /usr/bin/workflow-controller
             scanner: grype
+      - timestamp: 2024-03-21T13:30:59Z
+        type: fixed
+        data:
+          fixed-version: 3.5.5-r4
 
   - id: CVE-2024-27289
     aliases:

aws-cli-v2.advisories.yaml

@@ -0,0 +1,39 @@
+schema-version: 2.0.2
+
+package:
+  name: aws-cli-v2
+
+advisories:
+  - id: CVE-2023-6597
+    aliases:
+      - GHSA-797f-63wg-8chv
+    events:
+      - timestamp: 2024-03-25T18:52:05Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: aws-cli-v2
+            componentID: d308222d66b99a12
+            componentName: python
+            componentVersion: 3.11.8
+            componentType: binary
+            componentLocation: /usr/lib/aws-cli/libpython3.11.so.1.0
+            scanner: grype
+
+  - id: CVE-2024-0450
+    aliases:
+      - GHSA-jm46-725r-hh9v
+    events:
+      - timestamp: 2024-03-25T18:52:06Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: aws-cli-v2
+            componentID: d308222d66b99a12
+            componentName: python
+            componentVersion: 3.11.8
+            componentType: binary
+            componentLocation: /usr/lib/aws-cli/libpython3.11.so.1.0
+            scanner: grype

bind.advisories.yaml

@@ -488,6 +488,10 @@ advisories:
             componentType: apk
             componentLocation: /.PKGINFO
             scanner: grype
+      - timestamp: 2024-03-20T15:41:12Z
+        type: fixed
+        data:
+          fixed-version: 9.18.25-r0
 
   - id: CVE-2023-6516
     aliases:

bom.advisories.yaml

@@ -132,6 +132,23 @@ advisories:
         data:
           fixed-version: 0.6.0-r0
 
+  - id: CVE-2024-24557
+    aliases:
+      - GHSA-xw73-rw38-6vjc
+    events:
+      - timestamp: 2024-03-21T10:30:53Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: bom
+            componentID: 032b3d6a67d55c61
+            componentName: github.com/docker/docker
+            componentVersion: v24.0.0+incompatible
+            componentType: go-module
+            componentLocation: /usr/bin/bom
+            scanner: grype
+
   - id: CVE-2024-24783
     aliases:
       - GHSA-3q2c-pvp5-3cqp

buf.advisories.yaml

@@ -41,3 +41,20 @@ advisories:
         type: fixed
         data:
           fixed-version: 1.30.0-r0
+
+  - id: CVE-2024-29018
+    aliases:
+      - GHSA-mq39-4gv4-mvpx
+    events:
+      - timestamp: 2024-03-22T07:06:18Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: buf
+            componentID: 092d335917925f4e
+            componentName: github.com/docker/docker
+            componentVersion: v25.0.4+incompatible
+            componentType: go-module
+            componentLocation: /usr/bin/buf
+            scanner: grype

buildkitd.advisories.yaml

@@ -224,6 +224,27 @@ advisories:
         data:
           fixed-version: 0.13.0-r1
 
+  - id: CVE-2024-29018
+    aliases:
+      - GHSA-mq39-4gv4-mvpx
+    events:
+      - timestamp: 2024-03-21T07:34:43Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: buildkitd
+            componentID: 19cd3c2af876f2e9
+            componentName: github.com/docker/docker
+            componentVersion: v25.0.3+incompatible
+            componentType: go-module
+            componentLocation: /usr/bin/buildkitd
+            scanner: grype
+      - timestamp: 2024-03-21T11:43:47Z
+        type: fixed
+        data:
+          fixed-version: 0.13.1-r1
+
   - id: GHSA-7ww5-4wqc-m92c
     events:
       - timestamp: 2024-01-30T15:54:13Z

cadvisor.advisories.yaml

@@ -82,6 +82,27 @@ advisories:
         data:
           fixed-version: 0.48.1-r4
 
+  - id: CVE-2024-24557
+    aliases:
+      - GHSA-xw73-rw38-6vjc
+    events:
+      - timestamp: 2024-03-21T09:30:53Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: cadvisor
+            componentID: 5fd69375a57c4040
+            componentName: github.com/docker/docker
+            componentVersion: v20.10.27+incompatible
+            componentType: go-module
+            componentLocation: /usr/bin/cadvisor
+            scanner: grype
+      - timestamp: 2024-03-21T11:23:06Z
+        type: fixed
+        data:
+          fixed-version: 0.49.1-r4
+
   - id: CVE-2024-24783
     aliases:
       - GHSA-3q2c-pvp5-3cqp
@@ -154,6 +175,27 @@ advisories:
         data:
           fixed-version: 0.49.1-r3
 
+  - id: CVE-2024-29018
+    aliases:
+      - GHSA-mq39-4gv4-mvpx
+    events:
+      - timestamp: 2024-03-21T09:30:51Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: cadvisor
+            componentID: 5fd69375a57c4040
+            componentName: github.com/docker/docker
+            componentVersion: v20.10.27+incompatible
+            componentType: go-module
+            componentLocation: /usr/bin/cadvisor
+            scanner: grype
+      - timestamp: 2024-03-21T11:23:06Z
+        type: fixed
+        data:
+          fixed-version: 0.49.1-r4
+
   - id: GHSA-6xv5-86q9-7xr8
     events:
       - timestamp: 2023-09-09T15:18:01Z

cert-manager-1.12.advisories.yaml

@@ -78,6 +78,23 @@ advisories:
         data:
           fixed-version: 1.12.7-r2
 
+  - id: CVE-2024-24557
+    aliases:
+      - GHSA-xw73-rw38-6vjc
+    events:
+      - timestamp: 2024-03-25T10:04:27Z
+        type: detection
+        data:
+          type: scan/v1
+          data:
+            subpackageName: cmctl-1.12
+            componentID: 69719a35eed06ed4
+            componentName: github.com/docker/docker
+            componentVersion: v24.0.7+incompatible
+            componentType: go-module
+            componentLocation: /usr/bin/cmctl
+            scanner: grype
+
   - id: CVE-2024-24786
     aliases:
       - GHSA-8r3f-844c-mc37