netshoot
netshoot copied to clipboard
nicolaka
Crticial vulnerabilities on netshoot image
I scanned netshoot image with Gyrpe and it found some critical vulns. Are there any plan to mitigate these? It would be nice to have a scheduled action that scans the image for vulns.
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-28615 Critical
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-30556 High
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-31813 Critical
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-26377 High
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-28330 Medium
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-30522 High
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-28614 Medium
apache2-utils 2.4.53-r0 2.4.54-r0 apk CVE-2022-29404 High
flock 2.38-r1 apk CVE-2010-3262 Medium
github.com/containerd/containerd v1.4.1 1.4.12 go-module GHSA-5j5w-g665-5m35 Low
github.com/containerd/containerd v1.4.1 1.4.11 go-module GHSA-c2h3-6mxw-7mvq Medium
github.com/containerd/containerd v1.4.1 1.4.8 go-module GHSA-c72p-9xmj-rx3w Medium
github.com/containerd/containerd v1.4.1 1.4.13 go-module GHSA-crp2-qrr5-8pq7 High
github.com/containerd/containerd v1.4.1 1.5.13 go-module GHSA-5ffw-gxpp-mxpf Medium
github.com/containerd/containerd v1.4.1 1.4.3 go-module GHSA-36xw-fx78-c5r4 Medium
github.com/docker/docker v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible go-module CVE-2021-21285 Medium
github.com/docker/docker v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible go-module CVE-2021-21284 Medium
github.com/gogo/protobuf v1.3.1 1.3.2 go-module GHSA-c3h9-896r-86jm High
github.com/influxdata/influxdb v0.0.0-20190102202943-dd481f35df2c go-module CVE-2018-17572 Medium
github.com/influxdata/influxdb v0.0.0-20190102202943-dd481f35df2c go-module CVE-2019-20933 Critical
github.com/opencontainers/image-spec v1.0.1 1.0.2 go-module GHSA-77vh-xpmg-72qh Low
github.com/opencontainers/runc v1.0.3 1.1.2 go-module GHSA-f3fp-gc8g-vw66 Medium
github.com/projectcalico/calico (devel) go-module CVE-2020-13597 Low
go.etcd.io/etcd v0.5.0-alpha.5.0.20201125193152-8a03d2e9614b 3.4.0 go-module GHSA-wf43-55jj-vwq8 Medium
google.golang.org/protobuf v1.26.0 go-module CVE-2021-22570 High
google.golang.org/protobuf v1.26.0 go-module CVE-2015-5237 High
httpie 3.2.1 python CVE-2019-10751 High
pcre2 10.39-r0 10.40-r0 apk CVE-2022-1587 Critical
pcre2 10.39-r0 10.40-r0 apk CVE-2022-1586 Critical
scapy git-archive.dev8b63d73a172 2.4.1 python GHSA-mpf2-q34c-fc6j High
vim 8.2.4969-r0 apk CVE-2022-1735 High
vim 8.2.4969-r0 apk CVE-2022-1785 High
vim 8.2.4969-r0 apk CVE-2022-1851 High
vim 8.2.4969-r0 apk CVE-2022-1769 High
vim 8.2.4969-r0 apk CVE-2022-1771 Medium
vim 8.2.4969-r0 apk CVE-2022-1927 Critical
vim 8.2.4969-r0 apk CVE-2022-1796 High
vim 8.2.4969-r0 apk CVE-2022-1898 High
vim 8.2.4969-r0 apk CVE-2022-1886 High
vim 8.2.4969-r0 apk CVE-2022-1942 High
xxd 8.2.4969-r0 apk CVE-2022-1769 High
xxd 8.2.4969-r0 apk CVE-2022-1942 High
xxd 8.2.4969-r0 apk CVE-2022-1851 High
xxd 8.2.4969-r0 apk CVE-2022-1785 High
xxd 8.2.4969-r0 apk CVE-2022-1796 High
xxd 8.2.4969-r0 apk CVE-2022-1927 Critical
xxd 8.2.4969-r0 apk CVE-2022-1886 High
xxd 8.2.4969-r0 apk CVE-2022-1735 High
xxd 8.2.4969-r0 apk CVE-2022-1898 High
xxd 8.2.4969-r0 apk CVE-2022-1771 Medium
It seems most of these are fixed 👍
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
flock 2.38-r2 apk CVE-2010-3262 Medium
github.com/containerd/containerd v1.4.1 1.4.3 go-module GHSA-36xw-fx78-c5r4 Medium
github.com/containerd/containerd v1.4.1 1.4.8 go-module GHSA-c72p-9xmj-rx3w Medium
github.com/containerd/containerd v1.4.1 1.5.13 go-module GHSA-5ffw-gxpp-mxpf Medium
github.com/containerd/containerd v1.4.1 1.4.11 go-module GHSA-c2h3-6mxw-7mvq Medium
github.com/containerd/containerd v1.4.1 1.4.13 go-module GHSA-crp2-qrr5-8pq7 High
github.com/containerd/containerd v1.4.1 1.4.12 go-module GHSA-5j5w-g665-5m35 Low
github.com/docker/docker v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible go-module CVE-2021-21284 Medium
github.com/docker/docker v20.10.0-beta1.0.20201113105859-b6bfff2a628f+incompatible go-module CVE-2021-21285 Medium
github.com/gogo/protobuf v1.3.1 1.3.2 go-module GHSA-c3h9-896r-86jm High
github.com/influxdata/influxdb v0.0.0-20190102202943-dd481f35df2c go-module CVE-2018-17572 Medium
github.com/influxdata/influxdb v0.0.0-20190102202943-dd481f35df2c go-module CVE-2019-20933 Critical
github.com/opencontainers/image-spec v1.0.1 1.0.2 go-module GHSA-77vh-xpmg-72qh Low
github.com/opencontainers/runc v1.0.3 1.1.2 go-module GHSA-f3fp-gc8g-vw66 Medium
github.com/projectcalico/calico (devel) go-module CVE-2020-13597 Low
go.etcd.io/etcd v0.5.0-alpha.5.0.20201125193152-8a03d2e9614b 3.4.0 go-module GHSA-wf43-55jj-vwq8 Medium
google.golang.org/protobuf v1.26.0 go-module CVE-2021-22570 High
google.golang.org/protobuf v1.26.0 go-module CVE-2015-5237 High
httpie 3.2.1 python CVE-2019-10751 High
scapy git-archive.dev8b63d73a172 2.4.1 python GHSA-mpf2-q34c-fc6j High
I can also add some security scanning stuff in the pipeline. I can file an issue for this if you want.
Sure, I've just created the PR @nicolaka https://github.com/nicolaka/netshoot/pull/113.
I think that adding security scanning is a good idea @Dentrax (e.g. once a day to detect the newest reported vulnerabilities)! GitHub unfortunately does not support Docker images in their dependency graph so security vulnerabilities are not reported automatically.