Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reporting vulnerability in timescale/timescaledb-ha #463

Open
anshulgangrade opened this issue May 28, 2024 · 7 comments
Open

Reporting vulnerability in timescale/timescaledb-ha #463

anshulgangrade opened this issue May 28, 2024 · 7 comments

Comments

@anshulgangrade
Copy link

anshulgangrade commented May 28, 2024
edited
Loading

Name and Version
timescale/timescaledb-ha:pg14.5-ts2.8.0-p1

What steps will reproduce the bug?
Posting it here as i could not report the security vulnerability as an issue due to the policy.

We are running trivy scan to find out vulnerabilities in timescaledb container. We see many CVE's reported on Ubuntu as below. Please suggest how to fix it?

.\trivy image --format template --template "@contrib/html.tpl" -o timescale_report.html timescale/timescaledb-ha:pg14.5-ts2.8.0-p1 --ignore-unfixed

image

What is the expected behavior?
$ trivy image timescale/timescaledb-ha:pg14.5-ts2.8.0-p1 --ignore-unfixed
Attached is the report in pdf. Expected behavior is to have 0 vulnerability.
timescale_timescaledb-ha_pg14.5-ts2.8.0-p1.pdf

Additional information
how to remediate the CVEs reported
@graveland
Copy link
Collaborator

I haven't checked recently, but that's an ancient image. Please try against the latest builds.

@anshulgangrade
Copy link
Author

anshulgangrade commented Jun 6, 2024
edited
Loading

Please find attached the newer image vulnerability. Attached is the image used by timescale/timescaledb-single chart 0.33.1 version
timescale_timescaledb-ha_pg14.6-ts2.9.1-p1.pdf

@anshulgangrade
Copy link
Author

@graveland Any updates?

@graveland
Copy link
Collaborator

That image was built approximately a year ago. For this repository, the latest right now is pg14.12-ts2.15.2. Please note the repository you're talking about has this notice: This project is no longer maintained.

@anshulgangrade
Copy link
Author

Thanks @graveland for your comments. I did a scan on pg14.12-ts2.15.2 as well.
timescale_timescaledb-ha_pg14.12-ts2.15.2.pdf

4 highs are present in this one. Since this project is no longer maintained, so there would be no efforts to remediate ?

@graveland
Copy link
Collaborator

The vulnerabilities reported in that report are all in packages installed via apt-get, so fixes for them depend on when the fixes arrive upstream. The images are rebuilt every week, so if you want to keep up with the latest fixes, pulling and restarting database servers regularly is recommended.

The vulnerabilities listed against mysql for example are mostly addressed in https://launchpad.net/ubuntu/+source/mysql-8.0/8.0.37-0ubuntu0.24.04.1, which means it should hopefully be available soon.

@graveland
Copy link
Collaborator

This project is actively maintained, it's the helm charts that aren't. You'll have to update your own image tag to point to whichever -ha image you want to run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@graveland @anshulgangrade