Hi Alexis and Gabor , Thanks for your valuable suggestions. We tried implementing as per the suggestion given, updating the GOSE_VERSION to 1.17 and few other changes from our end and we see that all the jfrog x-ray vulnerabilities are fixed. Thanks for you support and help.
Thanks, Elakiya On Mon, Jun 24, 2024 at 10:02 AM elakiya udhayanan <laks....@gmail.com> wrote: > Hi Alexis and Gabor , > > Thanks for your valuable response and suggestions. Will try to work on the > suggestions and get back to you if require more details. > > Thanks, > Elakiya > > On Sun, Jun 23, 2024 at 10:12 PM Gabor Somogyi <gabor.g.somo...@gmail.com> > wrote: > >> Hi Elakiya, >> >> I've just double checked the story and seems like the latest 1.17 gosu >> release is not vulnerable. >> Can you please try it out on your side? Alexis has written down how you >> can bump the docker version locally: >> >> ---CUT-HERE--- >> ENV GOSU_VERSION 1.17 >> ---CUT-HERE--- >> >> Please report back and we can discuss this further based on that... >> >> BR, >> G >> >> >> On Fri, Jun 21, 2024 at 7:16 PM elakiya udhayanan <laks....@gmail.com> >> wrote: >> >>> Hi Team, >>> >>> I would like to remind about the request for the help required to fix >>> the vulnerabilities seen in the Flink Docker image. Any help is appreciated. >>> >>> Thanks in advance. >>> >>> Thanks, >>> Elakiya U >>> >>> On Tue, Jun 18, 2024 at 12:51 PM elakiya udhayanan <laks....@gmail.com> >>> wrote: >>> >>>> Hi Community, >>>> >>>> In one of our applications we are using a Fink Docker image and running >>>> Flink as a Kubernetes pod. As per policy, we tried scanning the Docker >>>> image for security vulnerabilities using JFrog XRay and we find that there >>>> are multiple critical vulnerabilities being reported as seen in the below >>>> table. This is the same case for the latest Flink version 1.19.0 as well >>>> >>>> | Severity | Direct Package | Impacted Package >>>> | Impacted Package Version | Fixed Versions | Type | CVE >>>> | >>>> >>>> |-----------|------------------------------|---------------------------|---------------------------|----------------------------|-------|--------------------| >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.19.8, 1.20.3] | Go | >>>> CVE-2023-24538 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.19.9, 1.20.4] | Go | >>>> CVE-2023-24540 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.19.10, 1.20.5] | Go | >>>> CVE-2023-29404 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.19.10, 1.20.5] | Go | >>>> CVE-2023-29405 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.19.10, 1.20.5] | Go | >>>> CVE-2023-29402 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.16.9, 1.17.2] | Go | >>>> CVE-2021-38297 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.16.14, 1.17.7] | Go | >>>> CVE-2022-23806 | >>>> | Critical | sha256__0690274ef266a9a2f... | certifi >>>> | 2020.6.20 | [2023.7.22] | Python| >>>> CVE-2023-37920 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.12.6, 1.13beta1] | Go | >>>> CVE-2019-11888 | >>>> | Critical | sha256__c6571bb0f39f334ef... | github.com/golang/go >>>> | 1.11.1 | [1.11.13, 1.12.8] | Go | >>>> CVE-2019-14809 | >>>> >>>> These vulnerabilities are related to the github.com/golang/go and >>>> certifi packages. >>>> >>>> Please help me addressing the below questions: >>>> Is there any known workaround for these vulnerabilities while using the >>>> affected Flink versions? >>>> Is there an ETA for a fix for these vulnerabilities in upcoming Flink >>>> releases? >>>> Are there any specific steps recommended to mitigate these issues in >>>> the meantime? >>>> Any guidance or recommendations would be greatly appreciated. >>>> >>>> Thanks in advance >>>> >>>> Thanks, >>>> Elakiya U >>>> >>>
