Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Upgrade Go libraries to resolve some security issues in the katib-controller #1888

Merged
merged 1 commit into from
Jun 7, 2022

Conversation

tenzen-y
Copy link
Member

@tenzen-y tenzen-y commented Jun 6, 2022

What this PR does / why we need it:
I upgraded Go libraries to resolve some security issues in the katib-controller.

  • before
$ trivy image --severity CRITICAL,HIGH -ignore-unfixed kubeflowkatib/katib-controller
2022-06-06T23:32:04.497+0900	INFO	Detected OS: alpine
2022-06-06T23:32:04.497+0900	INFO	Detecting Alpine vulnerabilities...
2022-06-06T23:32:04.499+0900	INFO	Number of language-specific files: 1
2022-06-06T23:32:04.499+0900	INFO	Detecting gobinary vulnerabilities...

kubeflowkatib/katib-controller (alpine 3.15.4)

Total: 0 (HIGH: 0, CRITICAL: 0)


app/katib-controller (gobinary)

Total: 6 (HIGH: 6, CRITICAL: 0)

┌──────────────────────────┬────────────────┬──────────┬──────────────────────────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│         Library          │ Vulnerability  │ Severity │          Installed Version           │ Fixed Version │                            Title                             │
├──────────────────────────┼────────────────┼──────────┼──────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/cli    │ CVE-2021-41092 │ HIGH     │ v0.0.0-20191017083524-a8ff7f821017   │ v20.10.9      │ docker: cli leaks private registry credentials to            │
│                          │                │          │                                      │               │ registry-1.docker.io                                         │
│                          │                │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2021-41092                   │
├──────────────────────────┼────────────────┤          ├──────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2015-3627  │          │ v1.4.2-0.20190924003213-a8608b5b67c7 │ v1.6.1        │ docker: insecure opening of file-descriptor 1 leading to     │
│                          │                │          │                                      │               │ privilege escalation                                         │
│                          │                │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2015-3627                    │
├──────────────────────────┼────────────────┤          ├──────────────────────────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ github.com/tidwall/gjson │ CVE-2020-35380 │          │ v1.6.0                               │ 1.6.4         │ GJSON before 1.6.4 allows attackers to cause a denial of     │
│                          │                │          │                                      │               │ service via...                                               │
│                          │                │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2020-35380                   │
│                          ├────────────────┤          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-36066 │          │                                      │ v1.6.5        │ GJSON <1.6.5 allows attackers to cause a denial of        │
│                          │                │          │                                      │               │ service (remote) ......                                      │
│                          │                │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2020-36066                   │
│                          ├────────────────┤          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2020-36067 │          │                                      │ 1.6.6         │ GJSON <=v1.6.5 allows attackers to cause a denial of      │
│                          │                │          │                                      │               │ service (panic ......                                        │
│                          │                │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2020-36067                   │
│                          ├────────────────┤          │                                      ├───────────────┼──────────────────────────────────────────────────────────────┤
│                          │ CVE-2021-42836 │          │                                      │ 1.9.3         │ GJSON before 1.9.3 allows a ReDoS (regular expression denial │
│                          │                │          │                                      │               │ of servic ......                                             │
│                          │                │          │                                      │               │ https://avd.aquasec.com/nvd/cve-2021-42836                   │
└──────────────────────────┴────────────────┴──────────┴──────────────────────────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘
  • after
$ trivy image --severity CRITICAL,HIGH -ignore-unfixed ytenzen/katib-controller:upgrade-go-libraries
2022-06-07T00:05:53.311+0900	INFO	Detected OS: alpine
2022-06-07T00:05:53.311+0900	INFO	Detecting Alpine vulnerabilities...
2022-06-07T00:05:53.313+0900	INFO	Number of language-specific files: 1
2022-06-07T00:05:53.313+0900	INFO	Detecting gobinary vulnerabilities...

ytenzen/katib-controller:upgrade-go-libraries (alpine 3.15.4)

Total: 0 (HIGH: 0, CRITICAL: 0)


app/katib-controller (gobinary)

Total: 0 (HIGH: 0, CRITICAL: 0)

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Checklist:

  • Docs included if any changes are user facing

@coveralls
Copy link

Coverage Status

Coverage remained the same at 73.948% when pulling aff2453 on tenzen-y:upgrade-go-libraries into e2378c3 on kubeflow:master.

@johnugeorge
Copy link
Member

johnugeorge commented Jun 6, 2022

Inorder to save GHA minutes, we might to keep testing restricted to a single k8s version in the future.

@johnugeorge
Copy link
Member

/lgtm

@tenzen-y
Copy link
Member Author

tenzen-y commented Jun 7, 2022

Inorder to save GHA minutes, we might to keep testing restricted to a single k8s version in the future.

Thanks for your review! @johnugeorge
As discussed in #1882 (comment), I will try to re-build workflows for building container images to reduce the time running integration tests in another PR.

So, should we merge this PR? @johnugeorge

@johnugeorge
Copy link
Member

/approve

@google-oss-prow
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johnugeorge, tenzen-y

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit c9001d8 into kubeflow:master Jun 7, 2022
@tenzen-y tenzen-y deleted the upgrade-go-libraries branch June 7, 2022 06:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants