Many vulnarabilities are reported while we use this image as BASE image for Ceph CSI #2077
Comments
|
Red Hat rebuilt the stream8 container, so rebuilding this one now should help... |
|
@mohag , @humblec
The vulnerability CVE-2022-21797 is still open. Is it possible we can patch base image and get this CVE fixed. There was one upgrade to base image done in Feb 23, ceph/ceph-csi#3635, however this CVI is still open. |
|
To add, base image from redhat stream 8 container, is updated: https://bugzilla.redhat.com/show_bug.cgi?id=2166562#c3 for 8stream |
|
CentOS Stream 8 is EoL soon.... (The images likely need to move to CentOS Stream 9 (or something else)) I suspect that the main problem is that Trivy uses the RHEL vulnerability database for CentOS Stream and that the package versions no longer align closely enough. (The fixes for RHEL may / may not exist for CentOS Stream as well it seems) See Q4 here Trivy has a PR for CentOS Stream support The rebuilds of the base container only helps if these containers are rebuilt after the base image has been updated... I'm not sure if there are scheduled rebuilds or if they are only build on new releases. (and looking at the CentOS FAQ and Trivy issues about CentOS Stream, it seems like an up to date CentOS Stream might still contain vulnerabilities that is fixed in RHEL) |
|
Yes, up to date CentOS stream might contain some vulnerabilities. However, these are incrementally fixed. Following same procedure, for other repos. as base image is updated, previously known vulnerabilities will be patched. Any timeline for moving to CentOS Stream 9? |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions. |
|
I'd like this Issue to remain open while the Ceph image still reports a critical level vulnerability. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions. |
|
bump |
|
@ktdreyer any help to take care of this from base container pov ? |
|
Fwiw, I'm coming from a place here where I would like to help with fixing this. At least for the Critical level Joblib vulnerability which is resolved in Joblib 1.2.0. But I don't know much about Joblib, how its introduced in the ceph image, or what issues could arise from upgrading it to 1.2.0 from what appears to be installed in the container (0.16.0). But it would be excellent to take care of this if we can, Ceph is a critical piece of infrastructure to many, and it would be sad to see it go unmaintained So if the maintainer team doesn't have resources for fixing this, maybe they have resources to guide me into fixing it for them? This screenshot is from my k8s cluster vulnerability scanner dashboard, and is for the ceph-csi image which uses the image from this repository as a base @humblec fwiw I think the Medium and Low severity vulnerabilities from this screenshot are probably actually introduced in the ceph-csi image. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in a week if no further activity occurs. Thank you for your contributions. |
|
Not stale. These stale Issue notifications are pretty annoying to be honest. I'll just keep re-upping this Issue as long as I am alive 😄 |
We use latest image hash of ceph in our ( ceph-csi github.com/ceph/ceph-csi) container build process and running the scanner against the build returns too many vulnarabilities . This has become an issue for many users and also for the secuirty reports generated on ceph csi image. We can not do anything to fix these issues in our image or iow, it has to be fixed here.
Can you consider this in prioirty and address these vulnarabilities?
A recent run report can be seen here:
ceph/ceph-csi#3538
The text was updated successfully, but these errors were encountered: