You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@yunikorn.apache.org by "Wilfred Spiegelenburg (Jira)" <ji...@apache.org> on 2021/12/05 23:26:00 UTC

[jira] [Commented] (YUNIKORN-964) Fix vulnerabilities reported by artifacthub

    [ https://issues.apache.org/jira/browse/YUNIKORN-964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17453739#comment-17453739 ] 

Wilfred Spiegelenburg commented on YUNIKORN-964:
------------------------------------------------

The web build has a build in nginx version that needs to be updated. That will update the alpine image also and move it to alpine:3.14.3

The Dockerfile used from the shim builds pull in the latest alpine images so the OS issues will be fixed automatically as the latest is currently pointing to 3.15.

For the K8s vulnerabilities found in the scheduler image: we have moved our dependency to v1.20.11. This has fixed all mentioned K8s vulnerabilities in the report.
The gogo protobuf issue is not directly our issue to fix as we do not use gogo. K8s has fixed the issue in 1.20.1 and later so we have no issue after out upgrade left.

The go vulnerability is not relevant as we do no use a SSH server. However compiling with the most recent version of Go (1.16.11 or 1.17.4) fixes that issue.

[~yuchaoran] we need to get the web docker image fix into v0.12.

> Fix vulnerabilities reported by artifacthub
> -------------------------------------------
>
>                 Key: YUNIKORN-964
>                 URL: https://issues.apache.org/jira/browse/YUNIKORN-964
>             Project: Apache YuniKorn
>          Issue Type: Bug
>            Reporter: Kinga Marton
>            Assignee: Wilfred Spiegelenburg
>            Priority: Blocker
>              Labels: pull-request-available
>             Fix For: 0.12
>
>
> Artifacthub has a security report for each image. 
> We need to check and fix the reported vulnerabilities: [https://artifacthub.io/packages/helm/yunikorn/yunikorn/0.11.0?modal=security-report]
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@yunikorn.apache.org
For additional commands, e-mail: issues-help@yunikorn.apache.org