Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx-ingress-controller 1.6.4 is flagged as critical vulnerable image #9748

Closed
abdulhubbali opened this issue Mar 16, 2023 · 9 comments
Closed

Nginx-ingress-controller 1.6.4 is flagged as critical vulnerable image #9748

abdulhubbali opened this issue Mar 16, 2023 · 9 comments
Assignees
@strongjz @rikatz
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@abdulhubbali
Copy link

abdulhubbali commented Mar 16, 2023
edited
Loading

What scanner and version reported the CVE?
Internal Tool

What CVE was reported in the scanner findings?
GO (Go) Security Update for golang.org/x/net (GHSA-vvpx-j8f3-3w6h)

What versions of the controller did you test with?
Nginx-ingress-controller 1.6.4

Please provider other details that will help us determine the severity of the issue
GO (Go) Security Update for golang.org/x/net (GHSA-vvpx-j8f3-3w6h)
GHSA-vvpx-j8f3-3w6h
@abdulhubbali abdulhubbali added the kind/bug Categorizes issue or PR as related to a bug. label Mar 16, 2023
@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Mar 16, 2023
@longwuyuan
Copy link
Contributor

We are already on x/net v0.8

ingress-nginx/go.mod

Line 104 in 2324ad0

golang.org/x/net v0.8.0 // indirect

/remove-kind bug

We are updaring go to v1.20 in the next release of the controller

@k8s-ci-robot k8s-ci-robot added needs-kind Indicates a PR lacks a `kind/foo` label and requires one. and removed kind/bug Categorizes issue or PR as related to a bug. labels Mar 16, 2023
@strongjz
Copy link
Member

We're working on a new release to upgrade to golang 1.20 and alpine 3.17.2, there are several steps involved in that, and there are issues with the CI currently.

We have to first upgrade our build and testing image to golang 1.20, upgrade the nginx base container image and update the ingress-controller container go.mod; then, we can release an updated version.

#9743

#9747

kubernetes/k8s.io#4929

@strongjz strongjz moved this to In Progress in [SIG Network] Ingress NGINX Mar 16, 2023
@strongjz
Copy link
Member

/kind feature
/priority important-critical
/triage accepted

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Mar 16, 2023
@k8s-ci-robot
Copy link
Contributor

@strongjz: The label(s) priority/important-critical cannot be applied, because the repository doesn't have them.

In response to this:

/kind feature
/priority important-critical
/triage accepted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Mar 16, 2023
@abdulhubbali
Copy link
Author

abdulhubbali commented Mar 16, 2023
edited
Loading

I am consuming the contents directly from path ingress-nginx/charts/ingress-nginx (https://github.com/kubernetes/ingress-nginx/tree/main/charts/ingress-nginx) and the scans show golang.org/x/net v0.5.0 is detected. No Specific reference to go,mod file were made.

@strongjz
Copy link
Member

It will be updated in the next release. Please be patient https://github.com/kubernetes/ingress-nginx/blob/main/go.mod#L104

@abdulhubbali
Copy link
Author

Sure. Thanks for the update

@strongjz strongjz moved this from Todo to In Progress in [SIG Network] Ingress NGINX Mar 21, 2023
@strongjz
Copy link
Member

fixed in https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.7.0

/close

@k8s-ci-robot
Copy link
Contributor

@strongjz: Closing this issue.

In response to this:

fixed in https://github.com/kubernetes/ingress-nginx/releases/tag/controller-v1.7.0

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@github-project-automation github-project-automation bot moved this from In Progress to Done in [SIG Network] Ingress NGINX Mar 24, 2023
@ryebridge ryebridge mentioned this issue Jan 31, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@strongjz strongjz

@rikatz rikatz

Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[SIG Network] Ingress NGINX
Archived in project
Milestone
No milestone
Development

No branches or pull requests
5 participants
@strongjz @longwuyuan @rikatz @k8s-ci-robot @abdulhubbali