You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I searched the issues and found no similar issues.
KubeRay Component
ray-operator
What happened + What you expected to happen
Using Twistlock I can see three fixable CVEs that are easily fixed by updating two go.mod items. I've created a branch where it works, I just need to create a PR in draft mode and make sure it passes all tests and that it runs properly on my server.
severityCHML cvss riskFactors cve link hasFix status packageType packageName
M 6.2 DoS - Low,Has fix,Medium severity PRISMA-2023-0056 https://github.com/sirupsen/logrus/issues/1370 Y fixed in v1.9.3 go github.com/sirupsen/logrus
M 0 Has fix,Medium severity,Recent vulnerability CVE-2023-39325 https://nvd.nist.gov/vuln/detail/CVE-2023-39325 Y fixed in 0.17.0 go golang.org/x/net
M 6.1 Attack complexity: low,Attack vector: network,Has fix,Medium severity,Recent vulnerability CVE-2023-3978 https://nvd.nist.gov/vuln/detail/CVE-2023-3978 Y fixed in 0.13.0 go golang.org/x/net
After my go.mod updates to the suggested fixed versions, then the three vulnerabilities above are gone when scanned with Twistlock.
Reproduction script
I built the ray-operator image manually with:
cd ray-operator
make docker-image
And then used Twistlock to scan the image and it reported the 3 items above.
Then, I updated the go.mod iiems and did a go mod tidy and then re-built the image and the Twistlock scan no longer indicates those 3 items.
More testing needs to occur before I change my pr from draft mode.
Anything else
With newly built images as well as the existing public ray-operator images (0.6.0 and the last rc)
Are you willing to submit a PR?
Yes I am willing to submit a PR!
The text was updated successfully, but these errors were encountered:
Search before asking
KubeRay Component
ray-operator
What happened + What you expected to happen
Using Twistlock I can see three fixable CVEs that are easily fixed by updating two go.mod items. I've created a branch where it works, I just need to create a PR in draft mode and make sure it passes all tests and that it runs properly on my server.
After my go.mod updates to the suggested fixed versions, then the three vulnerabilities above are gone when scanned with Twistlock.
Reproduction script
I built the ray-operator image manually with:
And then used Twistlock to scan the image and it reported the 3 items above.
Then, I updated the go.mod iiems and did a
go mod tidy
and then re-built the image and the Twistlock scan no longer indicates those 3 items.More testing needs to occur before I change my pr from draft mode.
Anything else
With newly built images as well as the existing public ray-operator images (0.6.0 and the last rc)
Are you willing to submit a PR?
The text was updated successfully, but these errors were encountered: