Vulnerabilities reported by Mend in 1.27.6

[andrewdinunzio]

Mend reports the vulnerabilities listed below:

python-Python-3.12.5:

• CVE-2024-7592
• CVE-2024-6232
• CVE-2024-8088

pip-24.2-py3-none-any.whl

• CVE-2018-20225

When I run the image locally, it does appear that the venv uses Python 3.12.5:

$ docker run -it --entrypoint sh quay.io/kiwigrid/k8s-sidecar:1.27.6
/app $ source .venv/bin/activate
(.venv) /app $ python --version
Python 3.12.5

However, I manually ran the base image (python:alpine3.20) and ran the steps in the Dockerfile manually, and that resulted in the Python venv using version 3.12.6, which I believe has fixes for at least some of these.

[ChristianGeie]

thx for the report. i just rescan the current image using docker run --platform linux/amd64 --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --format table --no-progress --exit-code 0 --offline-scan --timeout 15m kiwigrid/k8s-sidecar:1.27.6 an i can only see CVE-2024-6119, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492 and CVE-2024-6119. These issues seems to be already fixed upstream. So i will trigger a new minor build

[vvxxvvxx]

Hi @ChristianGeie, may I know if CVE-2024-45492 has been fixed in kiwigrid/k8s-sidecar:1.28.0?

[ChristianGeie]

@vvxxvvxx CVE-2024-45492 should be fixed in k8s-sidecar:1.28.0

[vvxxvvxx]

Hi @ChristianGeie , we can see the CVE-2024-45490, CVE-2024-45491 and CVE-2024-45492 vulnerabilities are still in k8s-sidecar:1.28.0. do you have any plan to fix them?

[vvxxvvxx]

opened an issue #370