node-driver-registrar
node-driver-registrar copied to clipboard
kubernetes-csi
Bump version of Go for CVE resolution?
Hello. Would it be possible to bump the version of Golang to help resolve some of these CVE's?
CVE-2021-38297 | critical | go 1.16.2 | 9,8 | https://nvd.nist.gov/vuln/detail/CVE-2021-38297 CVE-2021-27918 | high | go 1.14.15 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-27918 CVE-2021-29923 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-29923 CVE-2021-33194 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33194 CVE-2021-33195 | high | go 1.16.2 | 7,3 | https://nvd.nist.gov/vuln/detail/CVE-2021-33195 CVE-2021-33196 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33196 CVE-2021-33198 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-33198 CVE-2021-41771 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-41771 CVE-2021-41772 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-41772 CVE-2021-44716 | high | go 1.16.2 | 7,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-44716 CVE-2020-29510 | medium | go 1.14.15 | 5,6 | https://nvd.nist.gov/vuln/detail/CVE-2020-29510 CVE-2021-31525 | medium | go 1.16.2 | 5,9 | https://nvd.nist.gov/vuln/detail/CVE-2021-31525 CVE-2021-33197 | medium | go 1.16.2 | 5,3 | https://nvd.nist.gov/vuln/detail/CVE-2021-33197 CVE-2021-34558 | medium | go 1.16.2 | 6,5 | https://nvd.nist.gov/vuln/detail/CVE-2021-34558 CVE-2021-36221 | medium | go 1.16.2 | 5,9 | https://nvd.nist.gov/vuln/detail/CVE-2021-36221
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
I saw that our go.mod file says 1.16 in https://github.com/kubernetes-csi/node-driver-registrar/blob/master/go.mod#L3 however the library that builds the binary uses 1.18 https://github.com/kubernetes-csi/csi-release-tools/blob/master/prow.sh#L89, I'll check this again before the next release
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
@mauriciopoppe I think if we do a fresh docker build. It should pick up the latest node 16 or node 18 versions with the security patches included. Just need to do a re-release.
Any updates on fixing the CVEs? if bump the go version to 1.18.7 or 1.19.2 CVEs should be solved.
A new image will be available soon, I'm waiting for https://github.com/kubernetes/k8s.io/pull/4395 to be merged.
Tested that the image is available with docker pull k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.6.0