security: Track Possible Image Vulnerabilities

[scbizu]

Here will be a long issue track possible image vulnerabilities or CVEs reported by the community or our dependabot .

[scbizu]

helm/helm#10717 tracks the containerd containerd CRI plugin: Insecure handling of image volumes issue , will upgrade CM after helm upgrade this dependency.

[slachiewicz]

Artifacthub.io shows issues with the base image (busybox) and a few of our deps (etcd, contained, docker)
https://artifacthub.io/packages/helm/chartmuseum/chartmuseum

[Kiran-38]

Hi @scbizu, any update on the security vulnerability reported with #607 please.

[scbizu]

@Kiran-38 Thank you for the report , The storage PR will deprecate the old etcd dependency :) chartmuseum/storage#649

[Kiran-38]

@scbizu Thank you for the response. Can we have any date of fix for the etcd, or this fix will be in this version 0.15.0 or later. please let us know.

[Kiran-38]

Hi,
The chartMuseum binary contains the helm.sh/helm/v3 v3.9.3 library with is flagged as a security risk and need to update to the latest version 3.9.4 or later and above available for resolving the issue.

I see there is a branch dependabot created already to fix this can you merge with the main branch so that I can use it.

[Kiran-38]

@scbizu Thank you for the quick fix. It means a lot. Keep up the great work.

[Kiran-38]

Hi @scbizu, there are few vulnerability found in building chartmuseum. please find below list.

github.com/containerd/containerd-v1.6.3   
helm.sh/helm/v3-v3.9.0   
golang.org/x/net-v0.0.0-20220531201128-c960675eff93   
github.com/emicklei/go-restful-v2.9.5+incompatible   
golang.org/x/text-v0.3.7 

[scbizu]

@Kiran-38 ok , I will check it

[Kiran-38]

Thanks for the quick fix, I just wanted to know is there any latest release planned with this fix. As the fix is still in main branch, or if there is any tentative date to be released.

[Kiran-38]

@cbuto @jdolitsky Can you please update all the current Vulnerability fix in any latest release. As there has been a while, if there is any latest release been planned can you please give any date. That will help alot to users like us.

[scbizu]

#737

[macox]

@cbuto @jdolitsky apologies for the tag, do we know when a new release is planned?
it would be great if we could have any open dependabot PRs containing vulnerability fixes included.

[scbizu]

@macox hi , we already open the automated dependabot PRs , and if you want the new release with these PRs , you can try our canary tag , thank you for your advice , but we do not plan to release new release tag about every vulnerability fix.

[macox]

Thanks for your reply @scbizu, sorry I didn’t mean a release for every vulnerability. I was just wondering if a release was planned and if current open dependabot PRs could be merged and included in it.