1.17 - CVE bitnami/kubernetes and Go bump #9684

bewebi · 2024-06-25T19:33:46Z

Description

Bump pinned go version and bitnami/kubectl image to resolve CVEs

Context

Routine Trivy scans identified CVE-2024-24790 in our images, with issues opened including #9669
Issues were opened for all GA LTS branches, but not 1.18 and 1.17 as they are not yet in GA
Nevertheless, we should resolve the CVE in all versions, and it's simplest to start from main and work backward

While validating the existence of the CVE identified in LTS versions, we also found that CVE-2024-24788 is present in scans of v1.17.0-rc6

#9679 has been opened to add pre-releases to our scans moving forward

Interesting decisions

We bump bitnami/kubectl to the minor version that matches k8s dependencies in order to keep these in sync

Testing steps

I manually tested the latest released images as follows:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.17.0-rc6"; done

Results:

2024-06-25T15:21:32-04:00	INFO	Need to update DB
2024-06-25T15:21:32-04:00	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
48.64 MiB / 48.64 MiB [-------------------------------------------------------------------------] 100.00% 6.69 MiB p/s 7.5s
2024-06-25T15:21:40-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:21:40-04:00	INFO	Secret scanning is enabled
2024-06-25T15:21:40-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:21:40-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:21:47-04:00	INFO	Detected OS	family="ubuntu" version="20.04"
2024-06-25T15:21:47-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=98
2024-06-25T15:21:47-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:21:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.17.0-rc6 (ubuntu 20.04)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/gloo (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:21:48-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:21:48-04:00	INFO	Secret scanning is enabled
2024-06-25T15:21:48-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:21:48-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:21:51-04:00	INFO	Detected OS	family="ubuntu" version="20.04"
2024-06-25T15:21:51-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=98
2024-06-25T15:21:51-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:21:51-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.17.0-rc6 (ubuntu 20.04)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/envoyinit (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:21:52-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:21:52-04:00	INFO	Secret scanning is enabled
2024-06-25T15:21:52-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:21:52-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:22:00-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:22:00-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T15:22:00-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:22:00-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.17.0-rc6 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/discovery (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:22:00-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:22:00-04:00	INFO	Secret scanning is enabled
2024-06-25T15:22:00-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:22:00-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:22:07-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:22:07-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T15:22:07-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:22:07-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.17.0-rc6 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/ingress (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:22:08-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:22:08-04:00	INFO	Secret scanning is enabled
2024-06-25T15:22:08-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:22:08-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:22:12-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:22:12-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T15:22:12-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:22:12-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.17.0-rc6 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/sds (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:22:13-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:22:13-04:00	INFO	Secret scanning is enabled
2024-06-25T15:22:13-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:22:13-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:22:18-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:22:18-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T15:22:18-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:22:18-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.17.0-rc6 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/certgen (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:22:18-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:22:18-04:00	INFO	Secret scanning is enabled
2024-06-25T15:22:18-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:22:18-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:22:19-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:22:19-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T15:22:19-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:22:19-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.17.0-rc6 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/access-logger (gobinary)

Total: 2 (HIGH: 1, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.22.2            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
│         ├────────────────┼──────────┤        │                   ├─────────────────┼────────────────────────────────────────────────────────────┤
│         │ CVE-2024-24788 │ HIGH     │        │                   │ 1.22.3          │ golang: net: malformed DNS message can cause infinite loop │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24788                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘
2024-06-25T15:22:20-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:22:20-04:00	INFO	Secret scanning is enabled
2024-06-25T15:22:20-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:22:20-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:22:24-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:22:24-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T15:22:24-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:22:24-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.17.0-rc6 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


usr/local/bin/kubectl (gobinary)

Total: 1 (HIGH: 0, CRITICAL: 1)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │  Fixed Version  │                           Title                            │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────┼────────────────────────────────────────────────────────────┤
│ stdlib  │ CVE-2024-24790 │ CRITICAL │ fixed  │ 1.21.9            │ 1.21.11, 1.22.4 │ golang: net/netip: Unexpected behavior from Is methods for │
│         │                │          │        │                   │                 │ IPv4-mapped IPv6 addresses                                 │
│         │                │          │        │                   │                 │ https://avd.aquasec.com/nvd/cve-2024-24790                 │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────┴────────────────────────────────────────────────────────────┘

I then rebuilt images locally from this branch and scanned them:

VERSION=1.17.0-cve make docker -B
for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.17.0-cve"; done

Results:

2024-06-25T15:27:46-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:46-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:46-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:46-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:47-04:00	INFO	Detected OS	family="ubuntu" version="20.04"
2024-06-25T15:27:47-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=98
2024-06-25T15:27:47-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.17.0-cve (ubuntu 20.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:47-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:47-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:47-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:47-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:47-04:00	INFO	Detected OS	family="ubuntu" version="20.04"
2024-06-25T15:27:47-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=98
2024-06-25T15:27:47-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:47-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.17.0-cve (ubuntu 20.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:48-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:48-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:48-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:48-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:48-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:27:48-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T15:27:48-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:48-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.17.0-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:48-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:48-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:48-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:48-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:48-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:27:48-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T15:27:48-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:48-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.17.0-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:49-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:49-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:49-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:49-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:49-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:27:49-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T15:27:49-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:49-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.17.0-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:49-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:49-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:49-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:49-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:49-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:27:49-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T15:27:49-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:49-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.17.0-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:50-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:50-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:50-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:50-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:50-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:27:50-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T15:27:50-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:50-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.17.0-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T15:27:51-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T15:27:51-04:00	INFO	Secret scanning is enabled
2024-06-25T15:27:51-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T15:27:51-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T15:27:51-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T15:27:51-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T15:27:51-04:00	INFO	Number of language-specific files	num=1
2024-06-25T15:27:51-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.17.0-cve (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

I also tested the images published for the PR:

for service in gloo gloo-envoy-wrapper discovery ingress sds certgen access-logger kubectl; do trivy image --severity HIGH,CRITICAL "quay.io/solo-io/${service}:1.17.0-rc6-9684"; done

Results:

2024-06-25T18:16:00-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:00-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:00-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:00-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:07-04:00	INFO	Detected OS	family="ubuntu" version="20.04"
2024-06-25T18:16:07-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=98
2024-06-25T18:16:07-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:07-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo:1.17.0-rc6-9684 (ubuntu 20.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:08-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:08-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:08-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:08-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:11-04:00	INFO	Detected OS	family="ubuntu" version="20.04"
2024-06-25T18:16:11-04:00	INFO	[ubuntu] Detecting vulnerabilities...	os_version="20.04" pkg_num=98
2024-06-25T18:16:11-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:11-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/gloo-envoy-wrapper:1.17.0-rc6-9684 (ubuntu 20.04)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:12-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:12-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:12-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:12-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:19-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T18:16:19-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T18:16:19-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:19-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/discovery:1.17.0-rc6-9684 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:20-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:20-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:20-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:20-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:26-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T18:16:26-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T18:16:26-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:26-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/ingress:1.17.0-rc6-9684 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:27-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:27-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:27-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:27-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:31-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T18:16:31-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T18:16:31-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:31-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/sds:1.17.0-rc6-9684 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:32-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:32-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:32-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:32-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:37-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T18:16:37-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T18:16:37-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:37-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/certgen:1.17.0-rc6-9684 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:38-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:38-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:38-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:38-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:43-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T18:16:43-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=16
2024-06-25T18:16:43-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:43-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/access-logger:1.17.0-rc6-9684 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

2024-06-25T18:16:44-04:00	INFO	Vulnerability scanning is enabled
2024-06-25T18:16:44-04:00	INFO	Secret scanning is enabled
2024-06-25T18:16:44-04:00	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-06-25T18:16:44-04:00	INFO	Please see also https://aquasecurity.github.io/trivy/v0.52/docs/scanner/secret/#recommendation for faster secret detection
2024-06-25T18:16:48-04:00	INFO	Detected OS	family="alpine" version="3.17.6"
2024-06-25T18:16:48-04:00	INFO	[alpine] Detecting vulnerabilities...	os_version="3.17" repository="3.17" pkg_num=15
2024-06-25T18:16:48-04:00	INFO	Number of language-specific files	num=1
2024-06-25T18:16:48-04:00	INFO	[gobinary] Detecting vulnerabilities...

quay.io/solo-io/kubectl:1.17.0-rc6-9684 (alpine 3.17.6)

Total: 0 (HIGH: 0, CRITICAL: 0)

I also did these steps for -distroless images

Checklist:

I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have added tests that prove my fix is effective or that my feature works

solo-changelog-bot · 2024-06-25T19:33:57Z

Issues linked to changelog:
#9669

bewebi added 3 commits June 25, 2024 15:28

bumps to resolve cves

e53bac4

cloudbuild bumps

44e4598

changelog

5a7a075

github-actions bot added the keep pr updated signals bulldozer to keep pr up to date with base branch label Jun 25, 2024

soloio-bulldozer bot and others added 7 commits June 25, 2024 23:24

Merge refs/heads/v1.17.x into cve-1.17.0-rc6

bd9514c

Adding changelog file to new location

1e3bfbf

Deleting changelog file from old location

9397536

Merge refs/heads/v1.17.x into cve-1.17.0-rc6

4a62422

Merge refs/heads/v1.17.x into cve-1.17.0-rc6

12bff5e

Adding changelog file to new location

cab49c7

Deleting changelog file from old location

f75e346

nfuden approved these changes Jun 28, 2024

View reviewed changes

jenshu approved these changes Jun 28, 2024

View reviewed changes

soloio-bulldozer bot merged commit 840a1a9 into v1.17.x Jun 28, 2024
18 checks passed

soloio-bulldozer bot deleted the cve-1.17.0-rc6 branch June 28, 2024 14:52

bewebi mentioned this pull request Jun 28, 2024

Security Alert: 1.16.16 #9669

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

1.17 - CVE bitnami/kubernetes and Go bump #9684

1.17 - CVE bitnami/kubernetes and Go bump #9684

bewebi commented Jun 25, 2024 •

edited

Loading

solo-changelog-bot bot commented Jun 25, 2024

1.17 - CVE bitnami/kubernetes and Go bump #9684

1.17 - CVE bitnami/kubernetes and Go bump #9684

Conversation

bewebi commented Jun 25, 2024 • edited Loading

Description

Context

Interesting decisions

Testing steps

Checklist:

solo-changelog-bot bot commented Jun 25, 2024

bewebi commented Jun 25, 2024 •

edited

Loading