need to fix operator security vulnerabilities

[tpiperatgod]

The function-mesh-operator has some security vulnerabilities, and we need to fix them, refer to:

https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report

• CVE-2021-36159. We can fix this by upgrading the operator's base image from alpine 3.10 to alpine 3.12+ (maybe alpine 3.14 would be more appropriate?)
• CVE-2022-27191. Fix the CVE as advised.
• CVE-2020-8565. Fix the CVE as advised.
• CVE-2021-38561. Fix the CVE as advised.
• CVE-2020-9283 fix by [CVE-2020-9283 / CVE-2022-28948] resolve vulnerabilities #478

[hpvd]

Following link provided above,
today in v0.4:
10 vulnerabilities have been detected in this package's images.

[freeznet]

https://catalog.redhat.com/software/containers/streamnative/function-mesh/62d06b34df1077330aa2619d?container-tabs=security

[hpvd]

in link above to redhat, the redhat security score of A unfortunately has no real meaningfulness for the total security:

This image includes layers and packages that cannot be scanned or compared to public vulnerability information.

The Container Health Index analysis is based on RPM packages signed and created by Red Hat, and does not grade other software that may be included in a container image.

[hpvd]

of course its hard to fix all of them...

what do you think of adapting the distroless approach to get rid of software in containers that contains security problems but is actually not needed anyway?

[hpvd]

just opened a new issue with some background and sources on the distroless approach:
#448

[hpvd]

today in v0.6:
with https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report

13 vulnerabilities have been detected in this package's images.

[hpvd]

just an update on freshly release v0.7:
14 vulnerabilities (14 fixable) have been detected in this package's images.

source: https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report

[hpvd]

some more details:

[hpvd]

As background info, the security scanner used by artifacthub, providing results shown above
is trivy, so all the finding should be pretty valid.

For details, see:
https://artifacthub.io/docs/topics/security_report/

and trivy
https://github.com/aquasecurity/trivy

[hpvd]

there is also an easy to use github action for scanning with trivy

• the complete repository,
• pull requests,
• docker container
• IaC
• etc.

=> Maybe, this is interesting to integrate this directly into the CI pipeline...
See Readme of https://github.com/aquasecurity/trivy-action

[hpvd]

Extract:

these 5 updates to the latest versions should solve all found 14 vulnerabilities:

• https://github.com/prometheus/client_golang/releases
• https://github.com/kubernetes/client-go/tags
• https://pkg.go.dev/golang.org/x/text?tab=versions
• https://pkg.go.dev/golang.org/x/crypto?tab=versions
• https://pkg.go.dev/golang.org/x/net?tab=versions

[hpvd]

fyi - a CRITICAL vulnerability was newly introduced with the release v0.8
by using an old version of https://github.com/emicklei/go-restful/tags
2.9.5 from May 16, 2019
latest would be v2.16.0 or even 3.10.0

Some others were nicely cleaned up by updating dependencies!

in summary, this leads to a security rating of F (where A is the best)

for details

https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report

[jiangpengcheng]

hm, that looks bad, I will add workflow to scan the vulnerabilities

[hpvd]

for further thoughts on this topic see #527 (comment)

[hpvd]

looks like they may be introduce by metrics server which has an open issue for this
kubernetes-sigs/metrics-server#1096

or by kube metrics, where a new version was just released (v2.7)
https://github.com/kubernetes/kube-state-metrics/releases
(current rating: A - No vulnerabilities found)

[jiangpengcheng]

closing as resolved

[hpvd]

perfectly solved:

security rating: A
see

https://artifacthub.io/packages/helm/function-mesh/function-mesh-operator?modal=security-report