some high security vulnerabilities scanned out which need to be fixed #295
Comments
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello Team,
We have installed sap-btp-service-operator helm chart v0.4.6 in our k8s cluster, and in recent security scan, we have several high security vulnerabilities reported and which need to be fixed.
the scanned image is: ghcr.io/sap/sap-btp-service-operator/controller:v0.4.6
Please refer to below details:
`trivy image ghcr.io/sap/sap-btp-service-operator/controller:v0.4.6
2023-06-29T16:32:44.472+0800 INFO Vulnerability scanning is enabled
2023-06-29T16:32:44.473+0800 INFO Secret scanning is enabled
2023-06-29T16:32:44.473+0800 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-06-29T16:32:44.473+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.42/docs/secret/scanning/#recommendation for faster secret detection
2023-06-29T16:32:57.859+0800 INFO Detected OS: debian
2023-06-29T16:32:57.859+0800 INFO Detecting Debian vulnerabilities...
2023-06-29T16:32:57.862+0800 INFO Number of language-specific files: 1
2023-06-29T16:32:57.862+0800 INFO Detecting gobinary vulnerabilities...
ghcr.io/sap/sap-btp-service-operator/controller:v0.4.6 (debian 11.7)
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
manager (gobinary)
Total: 7 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 5, CRITICAL: 0)
┌───────────────────┬────────────────┬──────────┬────────────────────────────────────┬───────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2021-44716 │ HIGH │ v0.0.0-20210825183410-e898025ed96a │ 0.0.0-20211209124913-491a49abca63 │ golang: net/http: limit growth of header canonicalization │
│ │ │ │ │ │ cache │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2021-44716 │
│ ├────────────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-27664 │ │ │ 0.0.0-20220906165146-f3363e06e74c │ handle server errors after sending GOAWAY │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-27664 │
│ ├────────────────┤ │ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41723 │ │ │ 0.7.0 │ avoid quadratic complexity in HPACK decoding │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41723 │
│ ├────────────────┼──────────┤ ├───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41717 │ MEDIUM │ │ 0.4.0 │ excessive memory growth in a Go server accepting HTTP/2 │
│ │ │ │ │ │ requests │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41717 │
├───────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/sys │ CVE-2022-29526 │ │ v0.0.0-20211029165221-6e7872819dc8 │ 0.0.0-20220412211240-33da011f77ad │ faccessat checks wrong group │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-29526 │
├───────────────────┼────────────────┼──────────┼────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ golang.org/x/text │ CVE-2022-32149 │ HIGH │ v0.3.7 │ 0.3.8 │ ParseAcceptLanguage takes a long time to parse complex tags │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-32149 │
├───────────────────┼────────────────┤ ├────────────────────────────────────┼───────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ gopkg.in/yaml.v3 │ CVE-2022-28948 │ │ v3.0.0-20210107192922-496545a6307b │ 3.0.0-20220521103104-8f96da9f5d5e │ crash when attempting to deserialize invalid input │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28948 │
└───────────────────┴────────────────┴──────────┴────────────────────────────────────┴───────────────────────────────────┴─────────────────────────────────────────────────────────────┘
`
`grype ghcr.io/sap/sap-btp-service-operator/controller:v0.4.6
✔ Vulnerability DB [no update available]
✔ Pulled image
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [58 packages]
✔ Scanning image... [6 vulnerabilities]
├── 0 critical, 4 high, 2 medium, 0 low, 0 negligible
└── 4 fixed
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
golang.org/x/net v0.0.0-20210825183410-e898025ed96a 0.0.0-20220906165146-f3363e06e74c go-module GHSA-69cg-p879-7622 High
golang.org/x/net v0.0.0-20210825183410-e898025ed96a 0.7.0 go-module GHSA-vvpx-j8f3-3w6h High
golang.org/x/sys v0.0.0-20211029165221-6e7872819dc8 0.0.0-20220412211240-33da011f77ad go-module GHSA-p782-xgp4-8hr8 Medium
golang.org/x/text v0.3.7 0.3.8 go-module GHSA-69ch-w2m2-3vjp High
`
Could you take a look and see if the high vulnerabilities can be fixed or not.
thanks
Jane
The text was updated successfully, but these errors were encountered: