descheduler icon indicating copy to clipboard operation
descheduler copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

The descheduler trivy security scanning is reporting critical CVE-2022-1996

Open rsvalerio opened this issue 3 years ago • 5 comments
trafficstars

What version of descheduler are you using? The version v0.24.1

Does this issue reproduce with the latest release? Yes

Which descheduler CLI options are you using? Runtime is not needed as we can scan the binary directly without running it

Please provide a copy of your descheduler policy config file Runtime is not needed as we can scan the binary directly without running it

What k8s version are you using (kubectl version)? Runtime is not needed as we can scan the binary directly without running it

What did you do?

trivy image --ignore-unfixed --severity CRITICAL k8s.gcr.io/descheduler/descheduler:v0.24.1

What did you expect to see?

=====================
Total: 0 (CRITICAL: 0)

What did you see instead?

==========================
Total: 1 (CRITICAL: 1)

+--------------------------------+------------------+----------+---------------------+---------------+--------------------------------------+
|            LIBRARY             | VULNERABILITY ID | SEVERITY |  INSTALLED VERSION  | FIXED VERSION |                TITLE                 |
+--------------------------------+------------------+----------+---------------------+---------------+--------------------------------------+
| github.com/emicklei/go-restful | CVE-2022-1996    | CRITICAL | v2.9.5+incompatible | v3.8.0        | go-restful: Authorization Bypass     |
|                                |                  |          |                     |               | Through User-Controlled Key          |
|                                |                  |          |                     |               | -->avd.aquasec.com/nvd/cve-2022-1996 |
+--------------------------------+------------------+----------+---------------------+---------------+--------------------------------------+

First of all, thanks for this great tool!

I'll be happy to help with this if I can.

Cheers.

rsvalerio avatar Aug 02 '22 15:08 rsvalerio

Thanks @rsvalerio, this seems like a transitive dependency, probably from one of the k8s libraries if I had to guess. Let's see if bumping those brings in the fixed version and if so we can backport it through the supported descheduler versions. If you'd like to help with that please feel free to self-assign

damemi avatar Aug 02 '22 16:08 damemi

yes, you are right!

I've bumped versions to the latest, but still using old transitive dependency for go-restful.

	github.com/client9/misspell v0.3.4
	github.com/spf13/cobra v1.5.0
	github.com/spf13/pflag v1.0.5
	k8s.io/api v0.24.3
	k8s.io/apimachinery v0.24.3
	k8s.io/apiserver v0.24.3
	k8s.io/client-go v0.24.3
	k8s.io/code-generator v0.24.3
	k8s.io/component-base v0.24.3
	k8s.io/component-helpers v0.24.3
	k8s.io/klog/v2 v2.70.1
	k8s.io/kubectl v0.24.3
	k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
	sigs.k8s.io/mdtoc v1.1.0

And some of these dependencies need a code change.

I already see some movement about it, like here preparing a next release o 0.25 and k8s 1.25

rsvalerio avatar Aug 03 '22 10:08 rsvalerio

@rsvalerio thanks for confirming that. If they backport this update upstream, then we should be able to pull it in to our versions by just updating the k8s deps and we can put out a patch. Otherwise, it might be tougher to bump just this dependency but we can still try. Either way, if they're working on it for 1.25 then it will get pulled into our next release (v0.25.0)

damemi avatar Aug 03 '22 12:08 damemi

thanks a lot for bring this ! i will add gh-action for security scanning~~

JaneLiuL avatar Aug 05 '22 06:08 JaneLiuL

add ci pr here: https://github.com/kubernetes-sigs/descheduler/pull/898, will hold until we fix this security issue

JaneLiuL avatar Aug 05 '22 08:08 JaneLiuL

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 03 '22 09:11 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Dec 03 '22 09:12 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Jan 02 '23 10:01 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jan 02 '23 10:01 k8s-ci-robot