che icon indicating copy to clipboard operation
che copied to clipboard
verified publisher icon eclipse-che

Are Eclipse Che's containers vulnerable to the many issues identified by Trivy

Open bbsclient opened this issue 3 years ago • 7 comments

Summary

Che's containers were scanned with Trivy and the tool identified many potential vulnerabilities due to dependencies with known vulnerabilities that have been resolved in a newer version. What is the plan to update the dependencies or are these known false positives?

Relevant information

Here are some of the containers that were identified to have potential vulnerabilities: Repository: che-incubator/configbump Tag: 0.1.4 Critical Vulnerabilities: 4

Repository: eclipse/che-operator Tag: 7.57.0 Critical Vulnerabilities: 0 High Vulnerabilities: 9

Repository: devfile/devworkspace-controller Tag: v0.17.0 Critical Vulnerabilities: 0 High Vulnerabilities: 15

See the attached report for a full list of the identified vulnerabilities: report.md

bbsclient avatar Dec 12 '22 19:12 bbsclient

@bbsclient Thank you for reporting.

tolusha avatar Dec 13 '22 11:12 tolusha

For [1] and [2], all critical and high level vulnerabilities comes from base image [3].

[1] https://trivy.dev/results/?image=quay.io/eclipse/che-operator:7.59.0 [2] https://trivy.dev/results/?image=quay.io/devfile/devworkspace-controller:v0.18.1 [3] registry.access.redhat.com/ubi8-minimal:8.7-1049

tolusha avatar Jan 20 '23 13:01 tolusha

For [1], simply building a fresh image will reduce the number for critical vulnerabilities to 1, like for base image [2]

[1] https://trivy.dev/results/?image=quay.io/che-incubator/configbump:0.1.4 [2] https://trivy.dev/results/?image=alpine:3.12

tolusha avatar Jan 20 '23 13:01 tolusha

if we move from alpine to ubi8, we can use https://github.com/eclipse-che/che-release/actions/workflows/update-base-images.yml to keep the base image updated to the latest UBI 8.x with ALLLL the security fixes.

nickboldt avatar Feb 01 '23 15:02 nickboldt

Do you have a plan for the release of the new configbump image? It still has many critical and high vulnerabilities.

martinelli-francesco avatar Mar 21 '23 11:03 martinelli-francesco

Any news on this item? It has sprint-current label since Jan 25.

martinelli-francesco avatar May 22 '23 06:05 martinelli-francesco

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

che-bot avatar Jan 06 '24 01:01 che-bot