kafdrop icon indicating copy to clipboard operation
kafdrop copied to clipboard
verified publisher icon obsidiandynamics

CVEs in the 3.30.0

Open cbl315 opened this issue 3 years ago • 9 comments

I scan the image obsidiandynamics/kafdrop:3.30.0, and find many CVEs to be fixed.

See report:

obsidiandynamics-kafdrop3300-2022-08-10-030036.pdf

cbl315 avatar Aug 10 '22 03:08 cbl315

Is there a plan about when to release next versoin? I can help with those security issues and hope those issues could be fixed in next release.

cbl315 avatar Aug 10 '22 03:08 cbl315

/assign

cbl315 avatar Aug 10 '22 06:08 cbl315

Any help is appreciated! If someone can create a Pull Request explaining the fix I will be happy to merge it.

davideicardi avatar Aug 10 '22 07:08 davideicardi

@cbl315 Can you share the list of CVE numbers? Just a Fortify scan report isn't very helpful, as Fortify is known to provide very many false positives. The report (the detailed one, not the high-level summary) needs to be interpreted by one who knows both Fortify and the product (Kafdrop) very well.

Bert-R avatar Aug 10 '22 07:08 Bert-R

@cbl315 Can you share the list of CVE numbers? Just a Fortify scan report isn't very helpful, as Fortify is known to provide very many false positives. The report (the detailed one, not the high-level summary) needs to be interpreted by one who knows both Fortify and the product (Kafdrop) very well.

Sure I can share the CVEs list, btw I use protecode as scan tool instead of fortify. Unfortunately the scan result of protecode also contains many false positive vulnerabilities, I might try trivy also as a reference.

obsidiandynamics-kafdrop3300-vulnerabilities.csv

cbl315 avatar Aug 10 '22 08:08 cbl315

Just a curiosity, which security scan tool is used before for kafdrop?

cbl315 avatar Aug 10 '22 08:08 cbl315

Update: after I replace the base image to the latest release from upstream, the CVEs number has been reduced from 79 to 41. But there are still donzens, I will keep looking and try to check whether they are false positive.

Base image I use to replace: eclipse-temurin@sha256:555091411bbe4d768d73b9328b1a62bde263fa36f53f49452e2d92a690eb7a2c. Here is docker hub url.

New report: obsidiandynamics-kafdrop3300-vulnerabilities-UpdateBaseImage.csv

cbl315 avatar Aug 11 '22 02:08 cbl315

Exactly. That's why I created PR #404. Note that even though some of the CVEs might be legitimate, it does not at all mean that Kafdrop is vulnerable. The Kafdrop service uses a tiny bit of the capabilities, so it could well be fully safe.

Given the wide use of the Temurin distribution, you should ask yourself whether you should take the responsibility of scanning and analyzing that container image or whether you rely on Adoptium.

Bert-R avatar Aug 11 '22 06:08 Bert-R

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] avatar Sep 11 '22 02:09 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar Sep 25 '22 02:09 github-actions[bot]