You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/10/13 14:28:18 UTC
[GitHub] [pulsar-helm-chart] hpvd opened a new issue, #294: helm chart is outdated and includes images with 992 vulnerabilities
hpvd opened a new issue, #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294
**Describe the bug**
helm chart is outdated and includes images with 992 vulnerabilities
In detail:
- there are dependencies with well known security issues (with official CVE numbers)
- there is a pretty huge number of known and documented vulnerabilities: 992
- including important ones (critical, high rating)
- not only in the accompanying software in helm (prometheus, grafana) but in core directly (pulsar)
- some were known for 9 years (CVE numbers from 2013)
- there are possible fixes for most of them (for 623)
see source https://artifacthub.io/packages/helm/apache/pulsar?modal=security-report
Of course, this is only a first rough impression given by this analysis.
And the chart does not contain the very latest version of pulsar (even so, it's the latest official helm chart)
When looking into every detail of the reported numbers, you can of course argue why not every counted vulnerabilities is a disaster...
=> But how can you easily argue to anyone having seen this fast result
> In general, this software (pulsar) is secure, you can use it without any concerns.
?
This issue is a shortened copy from
https://github.com/apache/pulsar/issues/18041
for more details and comments, please see there.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1277823285
would/will be very interesting to see, how an updated helm chart with latest pulsar image perform in the same scan.
=> is the update already the big part of the solution?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: helm chart is outdated and includes images with 992 vulnerabilities
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1277706083
overview from link above:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] michaeljmarshall commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1278202119
@hpvd - thank you for creating this issue. I am going to look into how we can get these issues resolved.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1278684995
@michaeljmarshall many thanks for starting looking in it that fast
and especially your proposal to make a general approach set the ground to finally solve this (https://github.com/apache/pulsar-helm-chart/pull/299)!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1303779236
follow-up issue: https://github.com/apache/pulsar-helm-chart/issues/334
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1303176871
wow just saw the latest release 3.0.0!
What a great progress :-)
just did the same quick security check up again:
Latest security analysis show
- a stunning step in reducing the number of included vulnerabilities (minus 85%!)
- v2.9.4 with pulsar 2.9.3 **1024 vulnerabilities (698 fixable) have been detected in this package's images.**
https://artifacthub.io/packages/helm/apache/pulsar/2.9.4?modal=security-report
- v3.0.0 with pulsar 2.10.2 **136 vulnerabilities (79 fixable) have been detected in this package's images.**
https://artifacthub.io/packages/helm/apache/pulsar?modal=security-report
- on the other hand
- the number of fixable vulnerabilities with a severity of CRITICAL has risen from 1 to 4 (plus 300%!)
- very old fixable and already reported vulnerabilities (up to 9 years old) are still included:
edit: just opened a separate issue for this: https://github.com/apache/pulsar/issues/18338
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: helm chart is outdated and includes images with 992 vulnerabilities
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1277706656
more details:
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] michaeljmarshall commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1304200010
Since we have a follow up issue, can we close this one @hpvd?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1278686184
just as background info, the security scanner used by artifacthub, providing results shown above
is trivy, **so all the finding should be pretty valid**.
For details, see:
https://artifacthub.io/docs/topics/security_report/
and trivy
https://github.com/aquasecurity/trivy)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] michaeljmarshall commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1283321087
We could definitely investigate using that tool. For now, I am focused on getting the relevant dependencies upgrade and fixing the release process.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] michaeljmarshall closed issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
michaeljmarshall closed issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
URL: https://github.com/apache/pulsar-helm-chart/issues/294
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] michaeljmarshall commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
michaeljmarshall commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1281610262
Thank you for raising this issue @hpvd, and thank you for the extra context. It is very important to get the helm chart into a better place. Part of the reform is updating the release process, which I started here #301. This will take some extra time in the beginning, but should lead to easier releases in the future.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1304204394
@michaeljmarshall
Yes I think that's good move!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-helm-chart] hpvd commented on issue #294: [security] helm chart is outdated and includes images with 992 vulnerabilities (623 fixable)
Posted by GitBox <gi...@apache.org>.
hpvd commented on issue #294:
URL: https://github.com/apache/pulsar-helm-chart/issues/294#issuecomment-1281970970
@michaeljmarshall
there is also an easy to use **github action for scanning with trivy**
- the complete repository,
- pull requests,
- docker container
- IaC
- etc.
=> Maybe this is interesting to integrate this directly into the CI pipeline...
See Readme of https://github.com/aquasecurity/trivy-action
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org