Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVEs in the 3.30.0 #403

Closed
cbl315 opened this issue Aug 10, 2022 · 10 comments
Closed

CVEs in the 3.30.0 #403

cbl315 opened this issue Aug 10, 2022 · 10 comments
Labels

Comments

@cbl315
Copy link

cbl315 commented Aug 10, 2022

I scan the image obsidiandynamics/kafdrop:3.30.0, and find many CVEs to be fixed.

See report:

obsidiandynamics-kafdrop3300-2022-08-10-030036.pdf

@cbl315
Copy link
Author

cbl315 commented Aug 10, 2022

Is there a plan about when to release next versoin? I can help with those security issues and hope those issues could be fixed in next release.

@cbl315
Copy link
Author

cbl315 commented Aug 10, 2022

/assign

@davideicardi
Copy link
Collaborator

Any help is appreciated! If someone can create a Pull Request explaining the fix I will be happy to merge it.

@Bert-R
Copy link
Collaborator

Bert-R commented Aug 10, 2022

@cbl315 Can you share the list of CVE numbers? Just a Fortify scan report isn't very helpful, as Fortify is known to provide very many false positives. The report (the detailed one, not the high-level summary) needs to be interpreted by one who knows both Fortify and the product (Kafdrop) very well.

@cbl315
Copy link
Author

cbl315 commented Aug 10, 2022

@cbl315 Can you share the list of CVE numbers? Just a Fortify scan report isn't very helpful, as Fortify is known to provide very many false positives. The report (the detailed one, not the high-level summary) needs to be interpreted by one who knows both Fortify and the product (Kafdrop) very well.

Sure I can share the CVEs list, btw I use protecode as scan tool instead of fortify. Unfortunately the scan result of protecode also contains many false positive vulnerabilities, I might try trivy also as a reference.

obsidiandynamics-kafdrop3300-vulnerabilities.csv

@cbl315
Copy link
Author

cbl315 commented Aug 10, 2022

Just a curiosity, which security scan tool is used before for kafdrop?

@cbl315
Copy link
Author

cbl315 commented Aug 11, 2022

Update: after I replace the base image to the latest release from upstream, the CVEs number has been reduced from 79 to 41. But there are still donzens, I will keep looking and try to check whether they are false positive.

Base image I use to replace: eclipse-temurin@sha256:555091411bbe4d768d73b9328b1a62bde263fa36f53f49452e2d92a690eb7a2c.
Here is docker hub url.

New report: obsidiandynamics-kafdrop3300-vulnerabilities-UpdateBaseImage.csv

@Bert-R
Copy link
Collaborator

Bert-R commented Aug 11, 2022

Exactly. That's why I created PR #404.
Note that even though some of the CVEs might be legitimate, it does not at all mean that Kafdrop is vulnerable. The Kafdrop service uses a tiny bit of the capabilities, so it could well be fully safe.

Given the wide use of the Temurin distribution, you should ask yourself whether you should take the responsibility of scanning and analyzing that container image or whether you rely on Adoptium.

@github-actions
Copy link

This issue is stale because it has been open for 30 days with no activity.

@github-actions github-actions bot added the stale label Sep 11, 2022
@github-actions
Copy link

This issue was closed because it has been inactive for 14 days since being marked as stale.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants