Changelog - Please update when CVE's are patched

[dgresh1]

I have been working with AWS Support about Critical CVE's that are present in the images. I have seen some Changelog. notes reflect when CVEs are remediated. However, 4/29 release doesn't mention any CVEs being remediated.

Support is telling me that CVE-2022-22817 (Python-Pillow) has been resolved with 4/29 release. If this is correct, can the Changelog reflect that or any future releases include which CVEs have been remediated? It helps me know what versions I should be apply.

[cartermckinnon]

We generally only document packages (and their CVE's) that are directly related to EKS functionality (the kernel, containerd, docker, various GPU-related bits, etc.). I believe some docker client components are written in python, so maybe that's how this package is getting pulled in?

It's unlikely that we'll document every package present in the AMI to this degree of detail, in order to keep our docs maintainable and approachable. We use AWS Inspector in our build process to identify things like this, and many of our users use some kind of similar tool to deal with the onslaught of CVE's, understand their priority, and build automation to deal with them.

That being said, we are working on a better way to document vulnerabilities (and patches) for the most critical software in the AMI. I'll leave this issue open to track that effort.