Addressing Container CVEs
Our container image repositories include a GitHub Actions workflow that scans for Common Vulnerabilities and Exposures (CVEs). This workflow runs when a pull request is created, and also on a schedule. It only identifies CVEs classified as HIGH
or CRITICAL
for which a fix is available.
The two options for addressing an identified vulnerability are to fix it or skip it. The decision depends on the origin of the CVE, which could be the operating system, a system package, a library or a third party binary.
Our priority should be to fix it, and we should only skip it when we cannot fix it.
An example of something we could skip is when using the latest available binary from a third party. At the time of writing this documentation, the latest version of Cloud Platform’s CLI (1.40.1) which we bundle in Analytical Platform Cloud Development Environment Base has the following CVEs.
usr/local/bin/cloud-platform (gobinary)
=======================================
Total: 2 (HIGH: 1, CRITICAL: 1)
┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed │ v0.19.0 │ 0.31.0 │ golang.org/x/crypto/ssh: Misuse of │
│ │ │ │ │ │ │ ServerConfig.PublicKeyCallback may cause authorization │
│ │ │ │ │ │ │ bypass in golang.org/x/crypto │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45337 │
├─────────────────────┼────────────────┼──────────┤ ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2024-45338 │ HIGH │ │ v0.21.0 │ 0.33.0 │ golang.org/x/net/html: Non-linear parsing of │
│ │ │ │ │ │ │ case-insensitive content in golang.org/x/net/html │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-45338 │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘