Vulnerabilities listed on quay.io about kured HOT 5 CLOSED

I've just released a 1.1.0 build of kured, based on Alpine, which passes the security scan.

from kured.

Hi @amandadebler - thanks for the report!

I suspect, although it is hard to be entirely certain, that it's not going to be possible to exploit those vulnerabilities - the actual kured binary is a statically compiled Go program, and it's only built on top of a Ubuntu image for access to the systemctl restart command. Unfortunately this has the side effect of including a whole swathe of vulnerable packages and libraries in the container image, but they're not linked into the kured binary or executing inside the container at runtime.

Nevertheless, I will release an image built on the latest Ubuntu to see if that clears some of them up. In the medium term, I plan to change kured so it enters the host mount namespace and uses systemctl from there, which will mean I can derive the Docker image FROM: scratch and these issues will go away entirely.

Might some of these vulnerabilities be helped by using newer versions of the dependencies listed in https://github.com/weaveworks/kured/blob/master/Gopkg.toml

As far as I am aware, coreos/clair (the vulnerability scanner used by quay.io) works by cross referencing version information from the distro package management system, so unfortunately those Go source dependencies are effectively invisible to it - they're compiled directly into the kured binary and that version information is discarded (please correct me if I'm wrong - I'm not super familiar with it!). I will however update those dependencies anyway when I do the next release.

from kured.

Also interesting quay/clair#534

from kured.

I just pushed a build based on ubuntu:16.04 with hash 4a689991aa24 (six days old according to docker) - here are the results:

https://quay.io/repository/weaveworks/kured/manifest/sha256:367cfdae38712fef23eef7bd278b5238fd612a4bb173712d993d8adbb77e7eff?tab=vulnerabilities

Pretty much identical to the month old master build AFAICT. I'm not really sure what to make of that, I would expect an official Ubuntu LTS image to contain patches for all those CVEs...

from kured.

Turns out I could have saved myself some trouble - if you follow the link you posted and then select the third tab down on the left you'll see a screen like this:

from kured.