portable icon indicating copy to clipboard operation
portable copied to clipboard

Published 20 hours ago verified publisher icon kubevious

Container fails vulnerability scan, 3x CVE found.

Open OliverCole opened this issue 5 years ago • 1 comments

Describe the bug

I'd love to use this, but kubevious/portable:0.7.31 has some packages that fail our vulnerability scanning. Can these be upgraded?

To Reproduce

Steps to reproduce the behavior:

  1. Scan with a popular scanner, such as Aqua.

Expected behavior

No vulnerabilities found.

Actual behaviour

  • CVE-2020-8237 found in json-bigint.
  • CVE-2020-8116 found in dot-prop.
  • CVE-2020-8203 found in lodash.

OliverCole avatar Nov 19 '20 12:11 OliverCole

@OliverCole, thanks for bringing this up. Those packages are part of nested packages which would require some time to upgrade to more recent packages. Will update you with progress on this.

I also looked through those CVEs and they don't seem to be applicable, because Kubevious Portable is meant to be run on a workstation and not exposed to the outside. That eliminates possibility of such attack vectors.

rubenhak avatar Nov 19 '20 20:11 rubenhak