opentelemetry-network
opentelemetry-network copied to clipboard
Published
20 hours ago •
open-telemetry
open-telemetry
Upgrade packages highlighted by Trivy
What happened?
Description
Trivy is reporting potentially vulnerable packages in collector/k8s.
The two vulnerabilities seem to be resource exhaustion attacks (not arbitrary code execution), and this component communicates with the Kubernetes API and the k8s-watcher rather than public endpoints. Still, it would be prudent to upgrade the go dependencies.
Steps to Reproduce
Run Trivy test (e.g., runs automatically upon merge)
Expected Result
No alerts
Actual Result
https://github.com/open-telemetry/opentelemetry-network/actions/runs/7010845578/job/19072233435#step:4:31
eBPF Collector version
f1aceba
Environment information
Environment
GitHub / Trivy scan
eBPF Collector configuration
No response
Log output
/usr/bin/docker run --name bbed06b9809a2cb4243af7d18b698bce9dd_79279b --label 813bbe --workdir /github/workspace --rm -e "INPUT_SCAN-TYPE" -e "INPUT_SCAN-REF" -e "INPUT_SKIP-DIRS" -e "INPUT_FORMAT" -e "INPUT_EXIT-CODE" -e "INPUT_SEVERITY" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_TIMEOUT" -e "INPUT_IMAGE-REF" -e "INPUT_INPUT" -e "INPUT_TEMPLATE" -e "INPUT_OUTPUT" -e "INPUT_SKIP-FILES" -e "INPUT_CACHE-DIR" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SECURITY-CHECKS" -e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "INPUT_TRIVY-CONFIG" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/opentelemetry-network/opentelemetry-network":"/github/workspace" 813bbe:d06b9809a2cb4243af7d18b698bce9dd "-a fs" "-b table" "-c " "-d 1" "-e true" "-f os,library" "-g CRITICAL,HIGH" "-h " "-i " "-j ." "-k docs,cmake,ext" "-l " "-m " "-n 10m" "-o " "-p " "-q " "-r false" "-s " "-t " "-u " "-v "
Running trivy with options: trivy fs --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --skip-dirs docs --skip-dirs cmake --skip-dirs ext --timeout 10m .
Global options:
2023-11-27T21:30:38.735Z INFO Need to update DB
2023-11-27T21:30:38.735Z INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-11-27T21:30:38.735Z INFO Downloading DB...
41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [----------------------------------------------------------->] 100.00% ? p/s ?41.01 MiB / 41.01 MiB [-------------------------------------------------] 100.00% 37.98 MiB p/s 1.3s2023-11-27T21:30:40.531Z INFO Vulnerability scanning is enabled
2023-11-27T21:30:40.531Z INFO Secret scanning is enabled
2023-11-27T21:30:40.531Z INFO If your scanning is slow, please try '--security-checks vuln' to disable secret scanning
2023-11-27T21:30:40.531Z INFO Please see also https://aquasecurity.github.io/trivy/v0.34/docs/secret/scanning/#recommendation for faster secret detection
2023-11-27T21:30:40.972Z INFO Number of language-specific files: 1
2023-11-27T21:30:40.972Z INFO Detecting gomod vulnerabilities...
collector/k8s/go.mod (gomod)
============================
Total: 2 (HIGH: 2, CRITICAL: 0)
┌────────────────────────┬─────────────────────┬──────────┬───────────────────┬────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├────────────────────────┼─────────────────────┼──────────┼───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2023-39325 │ HIGH │ 0.7.0 │ 0.17.0 │ golang: net/http, x/net/http2: rapid stream resets can cause │
│ │ │ │ │ │ excessive work (CVE-2023-44487) │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-39325 │
├────────────────────────┼─────────────────────┤ ├───────────────────┼────────────────────────┼──────────────────────────────────────────────────────────────┤
│ google.golang.org/grpc │ GHSA-m425-mq94-257g │ │ 1.53.0 │ 1.56.3, 1.57.1, 1.58.3 │ gRPC-Go HTTP/2 Rapid Reset vulnerability │
│ │ │ │ │ │ https://github.com/advisories/GHSA-m425-mq94-257g │
└────────────────────────┴─────────────────────┴──────────┴───────────────────┴────────────────────────┴──────────────────────────────────────────────────────────────┘
Additional context
No response
