che icon indicating copy to clipboard operation
che copied to clipboard
verified publisher icon eclipse-che

Configbump update

Open LMantovan opened this issue 10 months ago • 2 comments

Running trivy image for the configbump:v7.99.0 it comes out that we have 42 vulnerabilities (4 Critical, 17 High and 21 Medium)

The majority of these are because you use old versions of go modules.

A suggestion can be running go get -u=patch ./... to update modules without breaking changes to the latest version and building a new version of the image.

Doing so, the vulnerabilities will be consistently reduced to only 5 vulns.

Is it possible to have this type of patch?

LMantovan avatar Mar 06 '25 11:03 LMantovan

@SDawley could you please take a look?

ibuziuk avatar Mar 06 '25 14:03 ibuziuk

Just wanted to update: the scans we run on downstream Configbump didn't pick up that many CVEs, but there was 1 Critical, 2 High and 1 Medium CVE that were all addressed by updating the base image.

Ultimately there are too many different scanners for us to realistically address every report, but I agree that it would be in everyone's best interests to update Configbump more often.

We're currently looking into better ways to keep our dependencies and base images updated so there are fewer discrepancies between upstream and downstream. I'll comment again when we decide on a solution.

SDawley avatar Mar 13 '25 22:03 SDawley