k8s-wait-for icon indicating copy to clipboard operation
k8s-wait-for copied to clipboard

Published 20 hours ago verified publisher icon groundnuty

Multiple CVEs reported by Aqua Scan

Open kgusarov opened this issue 2 years ago • 4 comments

Aqua Scan reports tons of CVEs in cURL binary:

image

Since we use this image in production environment, every CVE causes critical security incident (via automated job periodically checking all clusters) which is a pain itself. Easy fix would be to bump cURL version.

kgusarov avatar Aug 10 '22 09:08 kgusarov

There is already a pull request https://github.com/groundnuty/k8s-wait-for/pull/55/commits/f9c3f440058355543a9c17bf3bef86aedb663f53 that bumps curl to the version presented on your image.

This week I will get around and release a new version.

Thx for sharing a screenshot and it's nice someone is using it in production :-)

groundnuty avatar Aug 10 '22 09:08 groundnuty

Good to hear that! Waiting for the release. I can also suggest using https://github.com/aquasecurity/trivy since it is the same engine as Aqua Scan except open-source.

kgusarov avatar Aug 10 '22 10:08 kgusarov

I know trivia and aqua - it's a good idea. I see there are github actions for trivy, tho first I will need to move travis pipeline to github actions (what should be done anyway) it's a bit more work to stay tuned!

groundnuty avatar Aug 10 '22 12:08 groundnuty

@kgusarov added trivy scan as part of the release d36aeab and dedicated daily scan 972c9cf Next release will have all the sec fixes.

groundnuty avatar Aug 21 '22 11:08 groundnuty

@kgusarov new release v1.7 is here and all things reported by trivi has been fixed

groundnuty avatar Sep 03 '22 16:09 groundnuty