Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Are Eclipse Che's containers vulnerable to the many issues identified by Trivy #21883

Open
Tracked by #21941
bbsclient opened this issue Dec 12, 2022 · 7 comments
Open
Tracked by #21941

Are Eclipse Che's containers vulnerable to the many issues identified by Trivy #21883

bbsclient opened this issue Dec 12, 2022 · 7 comments
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/task Internal things, technical debt, and to-do tasks to be performed. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. severity/P1 Has a major impact to usage or development of the system.

Comments

@bbsclient
Copy link

Summary

Che's containers were scanned with Trivy and the tool identified many potential vulnerabilities due to dependencies with known vulnerabilities that have been resolved in a newer version. What is the plan to update the dependencies or are these known false positives?

Relevant information

Here are some of the containers that were identified to have potential vulnerabilities:
Repository: che-incubator/configbump
Tag: 0.1.4
Critical Vulnerabilities: 4

Repository: eclipse/che-operator
Tag: 7.57.0
Critical Vulnerabilities: 0
High Vulnerabilities: 9

Repository: devfile/devworkspace-controller
Tag: v0.17.0
Critical Vulnerabilities: 0
High Vulnerabilities: 15

See the attached report for a full list of the identified vulnerabilities:
report.md
@bbsclient bbsclient added the kind/question Questions that haven't been identified as being feature requests or bugs. label Dec 12, 2022
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Dec 12, 2022
@tolusha tolusha added the area/install Issues related to installation, including offline/air gap and initial setup label Dec 13, 2022
@tolusha
Copy link
Contributor

tolusha commented Dec 13, 2022

@bbsclient
Thank you for reporting.

@ibuziuk ibuziuk added sprint/next kind/task Internal things, technical debt, and to-do tasks to be performed. and removed kind/question Questions that haven't been identified as being feature requests or bugs. labels Dec 13, 2022
@dkwon17 dkwon17 added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Dec 13, 2022
@tolusha
Copy link
Contributor

tolusha commented Jan 20, 2023
edited
Loading

For [1] and [2], all critical and high level vulnerabilities comes from base image [3].

[1] https://trivy.dev/results/?image=quay.io/eclipse/che-operator:7.59.0
[2] https://trivy.dev/results/?image=quay.io/devfile/devworkspace-controller:v0.18.1
[3] registry.access.redhat.com/ubi8-minimal:8.7-1049

@tolusha
Copy link
Contributor

tolusha commented Jan 20, 2023
edited
Loading

For [1], simply building a fresh image will reduce the number for critical vulnerabilities to 1, like for base image [2]

[1] https://trivy.dev/results/?image=quay.io/che-incubator/configbump:0.1.4
[2] https://trivy.dev/results/?image=alpine:3.12

@ibuziuk ibuziuk mentioned this issue Jan 25, 2023
Closed
@nickboldt
Copy link
Contributor

if we move from alpine to ubi8, we can use https://github.com/eclipse-che/che-release/actions/workflows/update-base-images.yml to keep the base image updated to the latest UBI 8.x with ALLLL the security fixes.

@tolusha tolusha mentioned this issue Feb 6, 2023
Closed
5 tasks
@martinelli-francesco
Copy link

Do you have a plan for the release of the new configbump image? It still has many critical and high vulnerabilities.

@martinelli-francesco
Copy link

Any news on this item? It has sprint-current label since Jan 25.

@che-bot
Copy link
Contributor

che-bot commented Jan 6, 2024

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 6, 2024
@che-bot che-bot closed this as completed Jan 13, 2024
@tolusha tolusha reopened this Jan 13, 2024
@tolusha tolusha removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 13, 2024
@tolusha tolusha added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/install Issues related to installation, including offline/air gap and initial setup kind/task Internal things, technical debt, and to-do tasks to be performed. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@nickboldt @ibuziuk @tolusha @bbsclient @che-bot @martinelli-francesco @dkwon17