Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy and Aqua Enterprise vulnerability scan results critical and high #802

Closed
shalberd opened this issue Dec 10, 2024 · 3 comments · May be fixed by #641
Closed

Trivy and Aqua Enterprise vulnerability scan results critical and high #802

shalberd opened this issue Dec 10, 2024 · 3 comments · May be fixed by #641
Labels
kind/bug Something isn't working

Comments

@shalberd
Copy link
Contributor

shalberd commented Dec 10, 2024
edited
Loading

What steps did you take and what happened:
Took e.g. a recent R Studio image build. Got the following vulnerabilities findings. I realize not all are valid in all contexts, i.e. Docker one regarding Docker with Auth .... but some could be fixed easily, e.g. upgrading setuptools along with pip and wheel ...

e.g. in an R Studio image based on quay.io/sclorg/python-39-c9s:c9s which itself seems to be based on https://github.com/sclorg/s2i-python-container/blob/master/3.9/Dockerfile.c9s#L3

image

What did you expect to happen:
No critical vulnerabilities and as little as possible high ones.

Anything else you would like to add:
how about e.g.

setuptools 75.6.0
wheel 0.45.1
pip 24.3.1

at level python

and Docker 25.0.6 at base image level

The docker vulnerability CVE-2024-41110 seems to be part of /opt/app-root/bin/oc

oc version
Client Version: 4.17.6

https://github.com/openshift/oc/blob/master/go.mod#L19

Environment:

  • OpenDatahub Version: (please check the operator version)
  • Workbench: (all, data-science, etc)
  • Workbench Version: (2023.1, etc)
  • Specific tool: (jupyterlab, rstudio server, code-server, elyra-pipelines,etc)
  • Notebook-Controller Version: (please check the image version in notebook-controller deployment)

Logs/Screenshots
@shalberd shalberd added the kind/bug Something isn't working label Dec 10, 2024
@github-project-automation github-project-automation bot moved this to 📋 Backlog in ODH IDE Planning Dec 10, 2024
@shalberd shalberd changed the title Trivy and Aqua Enterprise vulnerability can results critical and high Trivy and Aqua Enterprise vulnerability scan results critical and high Dec 10, 2024
@jiridanek
Copy link
Member

Duplicate of https://issues.redhat.com/browse/RHOAIENG-10350, kind of

@jiridanek jiridanek linked a pull request Dec 10, 2024 that will close this issue
RHOAIENG-10350 feat(Dockerfiles): switch from s2i python images to plain ubi/c9s bases #641
Open
3 tasks
@shalberd
Copy link
Contributor Author

Regarding that oc-related docker golang vulnerability, posted a question directly at oc

openshift/oc#1950

@jiridanek
Copy link
Member

jiridanek commented Dec 10, 2024
edited
Loading

I saw that discussed somewhere. Yeah, as they are telling you on your ticket, govulncheck scan that analyzes reachability would tell that the vulnerable code is not called, and so the vulnerability got downgraded from critical to something fairly down on the list. https://www.redhat.com/en/blog/red-hats-open-approach-vulnerability-management

@github-project-automation github-project-automation bot moved this from 📋 Backlog to ✅Done in ODH IDE Planning Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Something isn't working
Projects
ODH IDE Planning
Status: Done
Milestone
No milestone
2 participants
@jiridanek @shalberd