Are high vulnerabilities being addressed? about csi-driver-host-path HOT 10 OPEN

Could someone give an ETA on when the next release will be available and if it will incorporate resolution of the previously listed CVEs?

from csi-driver-host-path.

These are vulns for the rust openssl package, how did you find that this repo written in golang uses those dependencies? I couldn't find anything related with ssl in https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/go.mod

from csi-driver-host-path.

Thank you for the response. We are using AWS and the container is /k8s.gcr.io/sig-storage/hostpathplugin if that helps you. The scanner we are using is Sysdig and it is finding them as know, vulnerable CVEs so there is something about libssl and libcrypto deployed in this container that is triggering these high findings. This is an off the shelf container and not anything that we would have built.

from csi-driver-host-path.

Gotcha there might be vulnerabilities in the image https://github.com/kubernetes-csi/csi-driver-host-path/blob/master/Dockerfile. So this CSI Driver is used for testing purposes as a demo CSI Driver.

I added this to our backlog but we don't have SLOs for components that aren't supposed to be used in production, cc @msau42.

If you're using this in production maybe you should evaluate other solutions.

from csi-driver-host-path.

@ronkara Please feel free to submit fixes for CVEs and we can help review and merge them.

from csi-driver-host-path.

/help wanted

from csi-driver-host-path.

hi @xing-yang , I don't have a mergeable fix but the files in question may be part of the alpine build or the linux-coreutils as the Sysdig container scan states they are OS vulns. The specific issue and the fix versions are as follows:

libcrypto1.1 fix version 1.1.1t-r0
libssl1.1 fix version 1.1.1t-r0

The CVEs are listed in the original message. Just because rust isn't being used, I suspect updating the build to latest version of alpine and linux-coreutils will resolve these vulnerabilities for us.

from csi-driver-host-path.

Hi @xing-yang as @ronkara mentioned the following CVEs above:
CVE-2022-4450
CVE-2023-0215
CVE-2023-0286
They seem to be related to the openssl 3.0.7-r2 package which I am assuming comes with the alpine image. Since they are OS vulns I was thinking by pulling the latest alpine image will resolve these vulnerabilities because apk update && apk upgrade will also pull in the new packages when we rebuilt the image.

from csi-driver-host-path.

/help wanted please if someone has the capability of updating the underlying alpine build to see if this resolves the libcrypto1.1 fix version 1.1.1t-r0 and libssl1.1 fix version 1.1.1t-r0 per guidance from singhc1997.

from csi-driver-host-path.

@ronkara wondering you will have some bandwidth to help fix this?

from csi-driver-host-path.