Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] Update go.mod to address Fixable CVEs in KubeRay Operator #1494

Closed
2 tasks done
jbusche opened this issue Oct 13, 2023 · 1 comment · Fixed by #1495
Closed
2 tasks done

[Bug] Update go.mod to address Fixable CVEs in KubeRay Operator #1494

jbusche opened this issue Oct 13, 2023 · 1 comment · Fixed by #1495
Assignees
Labels
bug Something isn't working

Comments

@jbusche
Copy link
Contributor

jbusche commented Oct 13, 2023

Search before asking

  • I searched the issues and found no similar issues.

KubeRay Component

ray-operator

What happened + What you expected to happen

Using Twistlock I can see three fixable CVEs that are easily fixed by updating two go.mod items. I've created a branch where it works, I just need to create a PR in draft mode and make sure it passes all tests and that it runs properly on my server.

severityCHML    cvss    riskFactors     cve     link    hasFix  status  packageType     packageName
        M       6.2     DoS - Low,Has fix,Medium severity       PRISMA-2023-0056        https://github.com/sirupsen/logrus/issues/1370  Y       fixed in v1.9.3 go      github.com/sirupsen/logrus
        M       0       Has fix,Medium severity,Recent vulnerability    CVE-2023-39325  https://nvd.nist.gov/vuln/detail/CVE-2023-39325 Y       fixed in 0.17.0 go      golang.org/x/net
        M       6.1     Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability      CVE-2023-3978   https://nvd.nist.gov/vuln/detail/CVE-2023-3978  Y       fixed in 0.13.0 go      golang.org/x/net

After my go.mod updates to the suggested fixed versions, then the three vulnerabilities above are gone when scanned with Twistlock.

Reproduction script

I built the ray-operator image manually with:

cd ray-operator
make docker-image

And then used Twistlock to scan the image and it reported the 3 items above.

Then, I updated the go.mod iiems and did a go mod tidy and then re-built the image and the Twistlock scan no longer indicates those 3 items.

More testing needs to occur before I change my pr from draft mode.

Anything else

With newly built images as well as the existing public ray-operator images (0.6.0 and the last rc)

Are you willing to submit a PR?

  • Yes I am willing to submit a PR!
@jbusche
Copy link
Contributor Author

jbusche commented Oct 17, 2023

Created PR #1495 for this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant