Skip to content

Fix vulnerabilities #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Fix vulnerabilities #226

wants to merge 2 commits into from

Conversation

mviswanathsai
Copy link

@mviswanathsai mviswanathsai commented Feb 18, 2025
edited
Loading

What this PR does / why we need it: This PR updates the dependencies of the Chaos Runner image which had known vulnerabilities with high severity. The vulnerability scan before and after was done using Trivy.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #158

Special notes for your reviewer:
Before:

mviswanathsai@pop-os:~/chaos-runner$ trivy image --severity HIGH,CRITICAL docker.io/litmuschaos/chaos-runner:ci
2025-02-18T12:42:22+05:30	INFO	[vulndb] Need to update DB
2025-02-18T12:42:22+05:30	INFO	[vulndb] Downloading vulnerability DB...
2025-02-18T12:42:22+05:30	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
59.23 MiB / 59.23 MiB [-----------------------------------------------------------------------------------------------------------] 100.00% 9.95 MiB p/s 6.2s
2025-02-18T12:42:30+05:30	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-02-18T12:42:30+05:30	INFO	[vuln] Vulnerability scanning is enabled
2025-02-18T12:42:30+05:30	INFO	[secret] Secret scanning is enabled
2025-02-18T12:42:30+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-18T12:42:30+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-18T12:42:32+05:30	INFO	Detected OS	family="redhat" version="9.4"
2025-02-18T12:42:32+05:30	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="9" pkg_num=104
2025-02-18T12:42:32+05:30	INFO	Number of language-specific files	num=1
2025-02-18T12:42:32+05:30	INFO	[gobinary] Detecting vulnerabilities...
2025-02-18T12:42:32+05:30	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.59/docs/scanner/vulnerability#severity-selection for details.

docker.io/litmuschaos/chaos-runner:ci (redhat 9.4)

Total: 2 (HIGH: 2, CRITICAL: 0)

┌──────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────────┬──────────────────────────────────────────────────────────┐
│   Library    │ Vulnerability  │ Severity │ Status │ Installed Version │   Fixed Version   │                          Title                           │
├──────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────────┼──────────────────────────────────────────────────────────┤
│ krb5-libs    │ CVE-2024-3596  │ HIGH     │ fixed  │ 1.21.1-2.el9_4    │ 1.21.1-4.el9_5    │ freeradius: forgery attack                               │
│              │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-3596                │
├──────────────┼────────────────┤          │        ├───────────────────┼───────────────────┼──────────────────────────────────────────────────────────┤
│ openssl-libs │ CVE-2024-12797 │          │        │ 1:3.0.7-28.el9_4  │ 1:3.2.2-6.el9_5.1 │ openssl: RFC7250 handshakes with unauthenticated servers │
│              │                │          │        │                   │                   │ don't abort as expected                                  │
│              │                │          │        │                   │                   │ https://avd.aquasec.com/nvd/cve-2024-12797               │
└──────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────────┴──────────────────────────────────────────────────────────┘

usr/local/bin/chaos-runner (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                       Title                       │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH     │ fixed  │ v0.17.0           │ 0.33.0        │ golang.org/x/net/html: Non-linear parsing of      │
│                  │                │          │        │                   │               │ case-insensitive content in golang.org/x/net/html │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45338        │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘

After:

mviswanathsai@pop-os:~/chaos-runner$ trivy image --severity HIGH,CRITICAL docker.io/litmuschaos/chaos-runner:ci
2025-02-18T12:50:45+05:30	INFO	[vuln] Vulnerability scanning is enabled
2025-02-18T12:50:45+05:30	INFO	[secret] Secret scanning is enabled
2025-02-18T12:50:45+05:30	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-18T12:50:45+05:30	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.59/docs/scanner/secret#recommendation for faster secret detection
2025-02-18T12:50:46+05:30	INFO	Detected OS	family="redhat" version="9.5"
2025-02-18T12:50:46+05:30	INFO	[redhat] Detecting RHEL/CentOS vulnerabilities...	os_version="9" pkg_num=105
2025-02-18T12:50:46+05:30	INFO	Number of language-specific files	num=1
2025-02-18T12:50:46+05:30	INFO	[gobinary] Detecting vulnerabilities...
2025-02-18T12:50:46+05:30	WARN	Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.59/docs/scanner/vulnerability#severity-selection for details.

docker.io/litmuschaos/chaos-runner:ci (redhat 9.5)

Total: 0 (HIGH: 0, CRITICAL: 0)

Checklist:

  • Fixes #
  • Labelled this PR & related issue with documentation tag
  • PR messages has document related information
  • Labelled this PR & related issue with breaking-changes tag
  • PR messages has breaking changes related information
  • Labelled this PR & related issue with requires-upgrade tag
  • PR messages has upgrade related information
  • Commit has unit tests
  • Commit has integration tests

@mviswanathsai mviswanathsai force-pushed the fix-vulnerabilities branch 2 times, most recently from 8a1008c to a3ce6b8 Compare February 18, 2025 07:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ispeakc0de ispeakc0de Awaiting requested review from ispeakc0de ispeakc0de is a code owner

@ksatchit ksatchit Awaiting requested review from ksatchit ksatchit is a code owner

@uditgaurav uditgaurav Awaiting requested review from uditgaurav uditgaurav is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Docker Container Image Vulnerability Check - 2021-07-30
1 participant
@mviswanathsai