Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report the use of components with vulnerabilities in cilium #32433

Open
3 tasks done
HouqiyuA opened this issue May 9, 2024 · 1 comment
Open
3 tasks done

Report the use of components with vulnerabilities in cilium #32433

HouqiyuA opened this issue May 9, 2024 · 1 comment
Labels
kind/bug This is a bug in the Cilium logic. kind/community-report This was reported by a user in the Cilium community, eg via Slack. need-more-info More information is required to further debug or fix the issue. needs/triage This issue requires triaging to establish severity and next steps.

Comments

@HouqiyuA
Copy link

HouqiyuA commented May 9, 2024

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

Dear Team Members:
Greetings! Our team is very interested in your project. we performed source code perspective security analysis (SCA) and vulnerability library association analysis on this project and found that components with vulnerabilities are still being used into this project.We would like to report this issue to you,so that you can fix and improve it accordingly. I add the details in json file below. Please confirm whether this problem really exists and confirm with us. Looking forward to hearing from you and discussing more details with us, thank you very much for your time and attention.

Note: Each "affect_components" field in the report represents the vulnerable component introduced by this project. The other is the vulnerability information associated with it.

Qiyu Hou

cilium-main_report.json

Cilium Version

v1.15.4

Kernel Version

None

Kubernetes Version

None

Regression

None

Sysdump

None

Relevant log output

No response

Anything else?

No response

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct
@HouqiyuA HouqiyuA added kind/bug This is a bug in the Cilium logic. kind/community-report This was reported by a user in the Cilium community, eg via Slack. needs/triage This issue requires triaging to establish severity and next steps. labels May 9, 2024
@squeed
Copy link
Contributor

squeed commented May 14, 2024

Cilium regularly runs an extensive suite of security scanners, including gosec linting. We use Mend Renovate to ensure our dependencies are up-to-date. These tasks are semi-automated, so there may be a window between CVE release and the periodic dependency updates. Rest assured, it will be taken care of before the next release.

Looking at the list you provided, I see a few library bumps that will be collected before the next v1.15 release, and none of these are particularly critical. Is there a specific vulnerability about which you are concerned?

If you have an additional security scanner you would like to integrate, please look to see if there is overlap with the tooling already in place. If you believe it can provide additional value without false-positives, then let's discuss how it can be integrated with our CI.

@squeed squeed added the need-more-info More information is required to further debug or fix the issue. label May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug This is a bug in the Cilium logic. kind/community-report This was reported by a user in the Cilium community, eg via Slack. need-more-info More information is required to further debug or fix the issue. needs/triage This issue requires triaging to establish severity and next steps.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@squeed @HouqiyuA