-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Are Eclipse Che's containers vulnerable to the many issues identified by Trivy #21883
Comments
@bbsclient |
For [1] and [2], all critical and high level vulnerabilities comes from base image [3]. [1] https://trivy.dev/results/?image=quay.io/eclipse/che-operator:7.59.0 |
For [1], simply building a fresh image will reduce the number for critical vulnerabilities to 1, like for base image [2] [1] https://trivy.dev/results/?image=quay.io/che-incubator/configbump:0.1.4 |
if we move from alpine to ubi8, we can use https://github.com/eclipse-che/che-release/actions/workflows/update-base-images.yml to keep the base image updated to the latest UBI 8.x with ALLLL the security fixes. |
Do you have a plan for the release of the new configbump image? It still has many critical and high vulnerabilities. |
Any news on this item? It has sprint-current label since Jan 25. |
Issues go stale after Mark the issue as fresh with If this issue is safe to close now please do so. Moderators: Add |
Summary
Che's containers were scanned with Trivy and the tool identified many potential vulnerabilities due to dependencies with known vulnerabilities that have been resolved in a newer version. What is the plan to update the dependencies or are these known false positives?
Relevant information
Here are some of the containers that were identified to have potential vulnerabilities:
Repository: che-incubator/configbump
Tag: 0.1.4
Critical Vulnerabilities: 4
Repository: eclipse/che-operator
Tag: 7.57.0
Critical Vulnerabilities: 0
High Vulnerabilities: 9
Repository: devfile/devworkspace-controller
Tag: v0.17.0
Critical Vulnerabilities: 0
High Vulnerabilities: 15
See the attached report for a full list of the identified vulnerabilities:
report.md
The text was updated successfully, but these errors were encountered: