rebase: fix CVEs in the image #3526
Conversation
mergify
bot
added
component/build
|
@Madhu-1 this PR should fix most of the ceph csi image specific vulnarabilities reported in the scan. Can you take a look at this in priority? |
api/go.mod
Outdated
| @@ -1,10 +1,32 @@ | |||
| module github.com/ceph/ceph-csi/api | |||
|
|
|||
| go 1.16 | |||
| go 1.18 | |||
There was a problem hiding this comment.
This requires consumers of the API to use Go 1.18. Ideally we provide the API for the lpwest, still supported Go version?
There was a problem hiding this comment.
no.., 1.16 and 1.17 are unsupported or already hit EOL.
@nixpanic I have mentioned which CVEs and kept only that change in the PR. ptal. |
Indeed these are different areas and small. But I have already put into seperate commits eventhough its a single PR. More or less, I didnt see value running different CI tests and wasting resources for each of this change , so combined into one PR. Regardless I am splitting this to different PRs now. |
|
Why the urgency for these? CVE-2022-27664: http server issue after |
nixpanic
added
rebase
@nixpanic all the security reports against Ceph CSI report this vulnerability. Unfortunately even security reports run on projects which consume Ceph CSI image also list down these vulnerabilities and this has been reported by those maintainers too. One example here is CNCF project Rook. |
|
Sure, lots of security scanners report issues with container images because vulnerable code is included. But if the code is not used, there is no urgency to update it. This isn't only for Go packages, but also for the RPMs that come with the OS base container image. Explaining why a CVE needs to be fixed is important for prioritization, and shows that reported CVEs are taking seriously. A quick glance does not give me a hint that this can be exploited, so for me this has the same priority as a normal rebase of a dependency. |
|
@Mergifyio rebase |
This commit update dependencies which is required to fix below CVEs. CVE-2022-27664 CVE-2022-27191 Signed-off-by: Humble Chirammal <[email protected]>
✅ Branch has been successfully rebased |
|
/test ci/centos/k8s-e2e-external-storage/1.23 |
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
|
/retest ci/centos/mini-e2e-helm/k8s-1.24 |
|
@Mergifyio requeue |
❌ This pull request head commit has not been previously disembarked from queue. |
mergify
bot
added
ok-to-test
|
/test ci/centos/k8s-e2e-external-storage/1.23 |
|
/test ci/centos/k8s-e2e-external-storage/1.24 |
|
/test ci/centos/k8s-e2e-external-storage/1.25 |
|
/test ci/centos/mini-e2e-helm/k8s-1.23 |
|
/test ci/centos/mini-e2e-helm/k8s-1.24 |
|
/test ci/centos/mini-e2e-helm/k8s-1.25 |
|
/test ci/centos/mini-e2e/k8s-1.23 |
|
/test ci/centos/mini-e2e/k8s-1.24 |
|
/test ci/centos/mini-e2e/k8s-1.25 |
|
/test ci/centos/upgrade-tests-cephfs |
|
/test ci/centos/upgrade-tests-rbd |
This commit update dependencies which is required to fix below CVEs.
Signed-off-by: Humble Chirammal [email protected]