Security Alert: 1.13.37

[soloio-bot]

quay.io/solo-io/kubectl:1.13.37

No Vulnerabilities Found for quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)

Vulnerabilities Listed for usr/local/bin/kubectl

Vulnerability ID	Package	Severity	Installed Version	Fixed Version	Reference
CVE-2023-39325	stdlib	HIGH	1.20.6	1.20.10, 1.21.3	https://avd.aquasec.com/nvd/cve-2023-39325
CVE-2023-45283	stdlib	HIGH	1.20.6	1.20.11, 1.21.4, 1.20.12, 1.21.5	https://avd.aquasec.com/nvd/cve-2023-45283
CVE-2023-45288	stdlib	HIGH	1.20.6	1.21.9, 1.22.2	https://avd.aquasec.com/nvd/cve-2023-45288

[sam-heilbron]

History

This is a subset of errors that were first encountered in #9443. @sheidkamp opened a PR #9452 to resolve this.

Local Run

When I run the scan locally:

trivy image --severity HIGH,CRITICAL quay.io/solo-io/kubectl:1.13.37

I do not get any errors:

024-05-28T11:56:22.790-0600    INFO    Need to update DB
2024-05-28T11:56:22.790-0600    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-05-28T11:56:22.790-0600    INFO    Downloading DB...
47.35 MiB / 47.35 MiB [-----------------------------------------------------------------------] 100.00% 843.68 KiB p/s 58s
2024-05-28T11:57:21.602-0600    INFO    Vulnerability scanning is enabled
2024-05-28T11:57:21.602-0600    INFO    Secret scanning is enabled
2024-05-28T11:57:21.602-0600    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-28T11:57:21.602-0600    INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-05-28T11:58:03.596-0600    INFO    Detected OS: alpine
2024-05-28T11:58:03.596-0600    INFO    Detecting Alpine vulnerabilities...
2024-05-28T11:58:03.599-0600    INFO    Number of language-specific files: 0

quay.io/solo-io/kubectl:1.13.37 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

I noticed that the version of trivy that I had installed:

➜  gloo git:(sam/nightly-kube-e2e-tests) trivy version
Version: 0.49.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-05-28 12:19:45.019419423 +0000 UTC
  NextUpdate: 2024-05-28 18:19:45.019419193 +0000 UTC
  DownloadedAt: 2024-05-28 17:57:21.602629 +0000 UTC

Did not match the version used in CI (see below):

Using Trivy v0.51.4

I noticed that we actually ignore the vulernabilities that are reported, so I ran the local scan again:

trivy image --severity HIGH,CRITICAL quay.io/solo-io/kubectl:1.13.37 --ignorefile ./.trivyignore

Again, I saw no vulnerabilities listed (as expected).

Most recent CI run

From the logs of the most recent security scan (logs), I see:

Using Trivy v0.51.4

***"level":"debug","ts":"2024-05-27T08:38:16.784Z","caller":"securityscanutils/trivy_scanner.go:77","msg":"Trivy found vulnerabilies after 2.628438615s in quay.io/solo-io/kubectl:1.13.37"***

But I don't see any comment on the issue, or update to indicate that the job performed an update

[sam-heilbron]

There is an open conversation around the two approaches we can take to solve this:

• Update the trivyignore file on the main branch to incldue the necessary values that our LTS branches require
• Update our job to run per branch, so that it can checkout the trivyignore for the given branch

I am happy with either direction that is chosen. Given that this is remaining work left over from the previous effort to fix these vulnerabilities, I am assigning this to @sheidkamp