Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rebase: fix CVEs in the image #3526

Merged
merged 1 commit into from
Nov 16, 2022
Merged

rebase: fix CVEs in the image #3526

merged 1 commit into from
Nov 16, 2022

Conversation

humblec
Copy link
Collaborator

@humblec humblec commented Nov 12, 2022

This commit update dependencies which is required to fix below CVEs.

CVE-2022-27664
CVE-2022-27191

Signed-off-by: Humble Chirammal hchiramm@redhat.com

@mergify mergify bot added component/build Issues and PRs related to compiling Ceph-CSI bug Something isn't working labels Nov 12, 2022
@humblec humblec requested a review from Madhu-1 November 12, 2022 06:50
@humblec humblec added the Priority-0 highest priority issue label Nov 12, 2022
@humblec
Copy link
Collaborator Author

humblec commented Nov 12, 2022

@Madhu-1 this PR should fix most of the ceph csi image specific vulnarabilities reported in the scan. Can you take a look at this in priority?

Copy link
Member

@nixpanic nixpanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of these are simple rebases, they should not be combined in the same PR with fixes for CVE's. For a CVE fix, you'll need to state the CVE numbers as well.

api/go.mod Outdated
@@ -1,10 +1,32 @@
module github.com/ceph/ceph-csi/api

go 1.16
go 1.18
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This requires consumers of the API to use Go 1.18. Ideally we provide the API for the lpwest, still supported Go version?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no.., 1.16 and 1.17 are unsupported or already hit EOL.

@humblec
Copy link
Collaborator Author

humblec commented Nov 14, 2022

Most of these are simple rebases, they should not be combined in the same PR with fixes for CVE's. For a CVE fix, you'll need to state the CVE numbers as well.

@nixpanic I have mentioned which CVEs and kept only that change in the PR. ptal.

@humblec
Copy link
Collaborator Author

humblec commented Nov 14, 2022

Most of these are simple rebases, they should not be combined in the same PR with fixes for CVE's. For a CVE fix, you'll need to state the CVE numbers as well.

Indeed these are different areas and small. But I have already put into seperate commits eventhough its a single PR. More or less, I didnt see value running different CI tests and wasting resources for each of this change , so combined into one PR. Regardless I am splitting this to different PRs now.

@nixpanic
Copy link
Member

Why the urgency for these?

CVE-2022-27664: http server issue after GOAWAY, can that happen when metrics are enabled?
CVE-2022-27191: ssh server issue... Ceph-CSI does not run a ssh-server

@nixpanic nixpanic added rebase update the version of an external component security and removed Priority-0 highest priority issue labels Nov 14, 2022
@humblec
Copy link
Collaborator Author

humblec commented Nov 14, 2022

Why the urgency for these?

CVE-2022-27664: http server issue after GOAWAY, can that happen when metrics are enabled? CVE-2022-27191: ssh server issue... Ceph-CSI does not run a ssh-server

@nixpanic all the security reports against Ceph CSI report this vulnerability. Unfortunately even security reports run on projects which consume Ceph CSI image also list down these vulnerabilities and this has been reported by those maintainers too. One example here is CNCF project Rook.

@nixpanic
Copy link
Member

Sure, lots of security scanners report issues with container images because vulnerable code is included. But if the code is not used, there is no urgency to update it. This isn't only for Go packages, but also for the RPMs that come with the OS base container image.

Explaining why a CVE needs to be fixed is important for prioritization, and shows that reported CVEs are taking seriously. A quick glance does not give me a hint that this can be exploited, so for me this has the same priority as a normal rebase of a dependency.

@nixpanic nixpanic changed the title build: fix CVEs in the image rebase: fix CVEs in the image Nov 14, 2022
@nixpanic
Copy link
Member

@Mergifyio rebase

This commit update dependencies which is required to fix below CVEs.

CVE-2022-27664
CVE-2022-27191

Signed-off-by: Humble Chirammal <hchiramm@redhat.com>
@mergify
Copy link
Contributor

mergify bot commented Nov 16, 2022

rebase

✅ Branch has been successfully rebased

@nixpanic nixpanic added the ok-to-test Label to trigger E2E tests label Nov 16, 2022
@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.23

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.24

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.25

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.23

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.23

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

/test ci/centos/upgrade-tests-rbd

@humblec humblec added the ci/retry/e2e Label to retry e2e retesting on approved PR's label Nov 16, 2022
@ceph-csi-bot
Copy link
Collaborator

/retest ci/centos/mini-e2e-helm/k8s-1.24

@ceph-csi-bot
Copy link
Collaborator

@humblec "ci/centos/mini-e2e-helm/k8s-1.24" test failed. Logs are available at location for debugging

@ceph-csi-bot
Copy link
Collaborator

@Mergifyio requeue

@mergify
Copy link
Contributor

mergify bot commented Nov 16, 2022

requeue

❌ This pull request head commit has not been previously disembarked from queue.

@mergify mergify bot added ok-to-test Label to trigger E2E tests and removed ok-to-test Label to trigger E2E tests labels Nov 16, 2022
@mergify mergify bot merged commit d721ed6 into ceph:devel Nov 16, 2022
@mergify mergify bot removed the ok-to-test Label to trigger E2E tests label Nov 16, 2022
@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.23

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.24

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.25

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.23

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.23

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

/test ci/centos/upgrade-tests-rbd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working ci/retry/e2e Label to retry e2e retesting on approved PR's component/build Issues and PRs related to compiling Ceph-CSI rebase update the version of an external component security
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants