Resolve tier 1 image CVEs that are identified by security team #4194
Comments
|
from the JIRA issue: rancher/k3s-upgrade We are not listing the exact issues here, because new versions of the above images might be flagged by image-scanning in the meantime. Upstream CVEs are outside the scope of this work, giving that we can't control when they are patched. Please consult with the Security team in case of questions. |
|
Not Mirrored: 82 |
|
I have noticed some duplication of information across the issues I have worked, so in order to work more efficiently, I have decided to compile a list of all the images, and the binaries that are in them. Once this is done, I can take that a level further and find all of the dependencies for the binaries that have CVEs. In the end I hope to have a list of the CVEs for dependencies of binaries that we build, and what images those binaries exist in. This should give us an understanding of the scope of a CVE based on number of images it affects. We can then choose to resolve/ignore a CVE and understand what affect that has on the system as a whole. |
|
The most prevalent problem is the duplicate/overlapping CVEs new plan!
|
Image Xref part 2
|
|
That is the last of them, now to compile it from the bin point of view and cross reference with dependency CVEs. |
|
@matttrach Can you give me a status update on this one and why it was moved to the Backlog? Thank you! |
|
yeah, sorry. I should have updated this earlier. I pulled the csv of the image scans from https://github.com/rancher/image-scanning/tree/main/docs/_data, imported the data to Google sheets and used the QUERY function to aggregate the data a little better. This essentially made the sheet a mini database with the ability to use sql queries against it.
|
|
The data I have gathered and the processes I have used should give the team tools to more quickly discover false positives in the CVE scanning tools and quickly address any CVEs that are under our control. |
|
There is more that can be done with this, but I believe this resolves the immediate concerns. |
|
I moved this to the backlog because I was not actively working on it anymore and I am unaware of anyone else picking it up. |
|
sorry, I meant to also mention #4365 where I am adding the image data I collected to the RKE2 repo. |
|
We have resolved all CVEs that are within our direct control (in our codebase), and now we'll created a new issue for follow-on work that has more to do with dependencies. |
|
@matttrach thanks for the amazing work 👏🏻 |
Refer to Jira ticket for more detail: https://jira.suse.com/browse/SURE-6236
The text was updated successfully, but these errors were encountered: