promu icon indicating copy to clipboard operation
promu copied to clipboard

Published 20 hours ago verified publisher icon prometheus

Support for distroless in node_exporter

Open saurabhvagrawal opened this issue 2 years ago • 5 comments

Vulnerability ID: 181818

Hi,

We are running prometheus node-exporter in production and we frequently get OS related vulnerabilities which. This time we got vulnerabilities for openssl and libssl. We want to understand if there is a plan to move to distroless so that we can avoid patching these kind of vulnerabilities in future. I was reading one thread where its mentioned that support for distroless containers will be available soon.

https://github.com/prometheus/node_exporter/issues/2046

Could you please share if its already in plan and if yes, when can we get this new image.

saurabhvagrawal avatar Jun 12 '23 13:06 saurabhvagrawal

This belongs in promu.

SuperQ avatar Jun 12 '23 13:06 SuperQ

What needs to be done to fix these vulnerabilities. Any idea?

saurabhvagrawal avatar Jun 12 '23 13:06 saurabhvagrawal

What needs to be done to fix these vulnerabilities. Any idea?

@SuperQ : Kind ping.

saurabhvagrawal avatar Jun 14 '23 07:06 saurabhvagrawal

This is a low priority task, as there is no vulnerability. Your security scanner is faulty.

Please do not report raw vulnerability scanner results. They are prone to false positives and cause the Prometheus team toil in verifying. Please verify vulnerability reports and include specific details as to which components are directly exploitable. Please also include a reproduction case.

SuperQ avatar Jun 14 '23 07:06 SuperQ

In this specific case, the node_exporter does not openssl or libssl, as the software is written in Go and uses Go's TLS implemenation.

SuperQ avatar Jun 14 '23 07:06 SuperQ