Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVEs in v2.13.0 #2512

Open
jranabahu opened this issue Sep 26, 2024 · 9 comments
Open

CVEs in v2.13.0 #2512

jranabahu opened this issue Sep 26, 2024 · 9 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@jranabahu
Copy link

What happened:

trivy scanning reports 3(1 HIGH and 2 MEDIUM) CVEs in 2.13.0 image.

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version  │                            Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-34156 │ HIGH     │ fixed  │ 1.22.5            │ 1.22.7, 1.23.1 │ encoding/gob: golang: Calling Decoder.Decode on a message   │
│         │                │          │        │                   │                │ which contains deeply nested structures...                  │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34156                  │
│         ├────────────────┼──────────┤        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34155 │ MEDIUM   │        │                   │                │ go/parser: golang: Calling any of the Parse functions       │
│         │                │          │        │                   │                │ containing deeply nested literals...                        │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34155                  │
│         ├────────────────┤          │        │                   │                ├─────────────────────────────────────────────────────────────┤
│         │ CVE-2024-34158 │          │        │                   │                │ go/build/constraint: golang: Calling Parse on a "// +build" │
│         │                │          │        │                   │                │ build tag line with...                                      │
│         │                │          │        │                   │                │ https://avd.aquasec.com/nvd/cve-2024-34158                  │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘

What you expected to happen:
For this for get resolved with the updates. Atleast for high severity.

How to reproduce it (as minimally and precisely as possible):
Scanning the image through trivy

Anything else we need to know?:
Let me know if this is not right way to submit

  • kube-state-metrics version: 2.13.0
  • Kubernetes version (use kubectl version):
  • Cloud provider or hardware configuration:
  • Other info:
@jranabahu jranabahu added the kind/bug Categorizes issue or PR as related to a bug. label Sep 26, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 26, 2024
@dgrisonnet
Copy link
Member

/triage accepted
/help

@k8s-ci-robot
Copy link
Contributor

@dgrisonnet:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/triage accepted
/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 3, 2024
This was referenced Oct 9, 2024
Closed
Open
@jranabahu
Copy link
Author

I can see that this is fixed with PR: #2493.
Could you do a release with these changes since this is a CVE fix?

@martidelviscovo
Copy link

Hello! Any updates here? Can we do a release with this fix please?

@dgrisonnet
Copy link
Member

Looking briefly at the CVEs, the codebase shouldn't be impacted, so I don't think we need to urgently cut a new release to fix them.

cc @mrueg

@PelagicGames
Copy link

Is there a case for a patch release (2.13.1)?

@dgrisonnet
Copy link
Member

There could be, but I think @mrueg wanted to cut 2.14.0 soon

@mrueg
Copy link
Member

mrueg commented Oct 15, 2024
edited
Loading

I agree with @dgrisonnet, please provide more info if you believe kube-state-metrics is affected by the CVEs, otherwise I'd treat them as a false positive and you can use https://github.com/openvex/vexctl to silence those.

I have created a milestone for v2.14.0 if you want to follow that for the release.

@martidelviscovo
Copy link

Hello @mrueg, thank you for opening the milestone. I see no due date, is there an estimate for when 2.14 would be cut though? Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mrueg @jranabahu @PelagicGames @k8s-ci-robot @dgrisonnet @martidelviscovo