Trivy reports a long list of vulnerabillities

[hookenz]

Trivy is reporting vulnerabilities in the included libraries that Kompose references.

I have managed to fix them but have never contributed before so am still working out the process.

kompose (gobinary)
Total: 12 (UNKNOWN: 3, LOW: 0, MEDIUM: 4, HIGH: 5, CRITICAL: 0)

MODULE NAME	VULNERABILITY ID	SEVERITY	INSTALLED VERSION	FXIED VERSION	TITLE
github.com/docker/cli	CVE-2021-41092	high	v0.0.0-20180529093712-df6e38b81a94	v20.10.9	docker: cli leaks private registry credentials to registry-1.docker.io
github.com/docker/docker	CVE-2020-13401	medium	v17.12.0-ce-rc1.0.20180220021536-8e435b8279f2+incompatible	v19.03.11	docker: IPv6 router advertisements allow for MitM attacks
github.com/gogo/protobuf	CVE-2021-3121	high	v1.3.1	1.3.2	gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
github.com/opencontainers/image-spec	GMS-2021-101	unknown	v1.0.1	1.0.2	Clarify mediaType handling
github.com/opencontainers/runc	CVE-2019-16884	high	v0.1.1	1.0.0-rc8.0.20190930145003-cad42f6e0932	runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
github.com/opencontainers/runc	CVE-2019-19921	high	v0.1.1	1.0.0-rc9.0.20200122160610-2fc03cc11c77	runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation
github.com/opencontainers/runc	CVE-2021-30465	high	v0.1.1	v1.0.0-rc1	runc: vulnerable to symlink exchange attack
github.com/opencontainers/runc	CVE-2016-9962	medium	v0.1.1	1.0.0-rc3	docker: insecure opening of file-descriptor allows privilege escalation
github.com/opencontainers/runc	CVE-2021-43784	medium	v0.1.1	v1.0.3	runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
github.com/opencontainers/runc	CVE-2022-24769	medium	v0.1.1	v1.1.2	moby: Default inheritable capabilities for linux container should be empty
github.com/opencontainers/runc	GMS-2021-177	unknown	v0.1.1	1.0.0-rc91	Devices resource list treated as a denylist by default
golang.org/x/text	CVE-2021-38561	unknown	v0.3.3	0.3.7

[krol3]

Hi @hookenz nice catch! are you using trivy against the kompose repository? We could create an action in gh-action to automatize this step. Any help with that you can ping me.

[hookenz]

Hi @krol3 we are including kompose inside portainer and we have a CI process with portainer that can run trivy scan with the built docker container. However in my case I simply ran trivy against the kompose go.mod file with trivy fs . which produces the table above.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[cdrage]

Closed via https://github.com/kubernetes/kompose/pull/1508