nebraska icon indicating copy to clipboard operation
nebraska copied to clipboard
verified publisher icon flatcar

Security concerns

Open tijmenvandenbrink opened this issue 3 years ago • 1 comments

Description

When scanning the Nebraska repo we're seeing a lot of vulnerabilties.

Impact

Several critical vulnerabilities that - if used by Nebraska - could potentially make Nebraska vulnerable

Environment and steps to reproduce

Scan the repo with Trivy and you'll get a lot of critical vulnerabilities:

trivy repo --vuln-type library https://github.com/kinvolk/nebraska.git

tijmenvandenbrink avatar Dec 02 '22 12:12 tijmenvandenbrink

Thanks @tijmenvandenbrink , we'll look into it.

joaquimrocha avatar Jan 31 '23 12:01 joaquimrocha

Thanks @tijmenvandenbrink this is not the case anymore since a few releases:

$ ./trivy repo --vuln-type library https://github.com/flatcar/nebraska.git
...
Report Summary

┌────────────────────────────┬───────┬─────────────────┬─────────┐
│           Target           │ Type  │ Vulnerabilities │ Secrets │
├────────────────────────────┼───────┼─────────────────┼─────────┤
│ backend/go.mod             │ gomod │        0        │    -    │
├────────────────────────────┼───────┼─────────────────┼─────────┤
│ frontend/package-lock.json │  npm  │        0        │    -    │
├────────────────────────────┼───────┼─────────────────┼─────────┤
│ updater/go.mod             │ gomod │        0        │    -    │
└────────────────────────────┴───────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

(cc @ervcz)

tormath1 avatar Jun 20 '25 11:06 tormath1