Configbump update #23378
Assignees
Labels
area/gateway
severity/P1
Has a major impact to usage or development of the system.
team/A
This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che
Comments
che-bot
added
the
status/need-triage
|
@SDawley could you please take a look? |
ibuziuk
added
the
severity/P1
akurinnoy
added
team/A
|
Just wanted to update: the scans we run on downstream Configbump didn't pick up that many CVEs, but there was 1 Critical, 2 High and 1 Medium CVE that were all addressed by updating the base image. Ultimately there are too many different scanners for us to realistically address every report, but I agree that it would be in everyone's best interests to update Configbump more often. We're currently looking into better ways to keep our dependencies and base images updated so there are fewer discrepancies between upstream and downstream. I'll comment again when we decide on a solution. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Running trivy image for the configbump:v7.99.0 it comes out that we have 42 vulnerabilities (4 Critical, 17 High and 21 Medium)
The majority of these are because you use old versions of go modules.
A suggestion can be running
go get -u=patch ./...to update modules without breaking changes to the latest version and building a new version of the image.
Doing so, the vulnerabilities will be consistently reduced to only 5 vulns.
Is it possible to have this type of patch?
The text was updated successfully, but these errors were encountered: