v2.2.0-eks-1-18-5 has 1 High + 15 others vulnerabilities

[gonzalobarbitta]

Good afternoon,

I pulled and pushed v2.2.0-eks-1-18-5 into an ECR repository in my personal account, and I noticed it has 1 High + 15 others vulnerabilities. I see this also happens for v2.2.0-eks-1-20-1.

Some of these vulnerabilities are:

• ALAS2-2021-1655 (High)
• ALAS2-2021-1653 (Medium)
• ALAS2-2021-1656 (Medium)

Would it be possible to release a new image anytime soon that addresses these vulnerabilities? Would you like me to take a look at this myself and submit a PR?

Thanks!

[msau42]

Here is the base image we use: https://github.com/kubernetes-csi/livenessprobe/blob/master/Dockerfile#L15

Can you try pulling the 2.3.0 tag from k8s.gcr.io/sig-storage/livenessprobe to see if it still shows up in your scan? You can also try our canary image at gcr.io/k8s-staging-sig-storage/livenessprobe:canary. If those are still showing issues, then we need to ask https://github.com/GoogleContainerTools/distroless to update to get the fix.

[gonzalobarbitta]

Thanks @msau42 for the prompt response.

I can confirm k8s.gcr.io/sig-storage/livenessprobe:v2.3.0 does not present any vulnerability (nor does v2.2.0).
I now realize I may have reported this in the wrong place. I see these vulnerabilities in Amazon's distribution for EKS: https://gallery.ecr.aws/eks-distro/kubernetes-csi/livenessprobe

I assumed this was somehow using v.2.2.0 as the base image and vulnerability may be coming from there, but I guess I was wrong. Sorry for the confusion. Please feel free to close this.

[msau42]

Thanks for confirming!

/close

[k8s-ci-robot]

@msau42: Closing this issue.

In response to this:

Thanks for confirming!

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.