snyk vuln scan findings

[derrick-roach]

Hello -

Is velero impacted by the following ubuntu base image vulnerabilities?

1. CVE-2024-6119 | Snyk | Ubuntu
2. CVE-2024-41996 | Snyk | Ubuntu
3. CVE-2016-20013 | Snyk | Ubuntu

If velero is vulnerable, how/when will it be addressed?

Thanks in advance

[kaovilai]

dupe of #8592

TL;DR: false positive. Do not use grype on buildpacks based images which velero is using.

Track grype fix at anchore/grype#520

[kaovilai]

This is my snyk result. There are only two low sev.

Per ubuntu https://ubuntu.com/security/CVE-2024-41996 do not apply to 22.04 used as base images in velero.
Per ubuntu https://ubuntu.com/security/CVE-2016-20013 for glibc 22.04 do not have a fix yet.

❯ snyk container test velero/velero:main 

Testing velero/velero:main...

✗ Low severity vulnerability found in openssl/libssl3
  Description: CVE-2024-41996
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2204-OPENSSL-7838287
  Introduced through: openssl/libssl3@3.0.2-0ubuntu1.18, ca-certificates@20240203~22.04.1, openssl@3.0.2-0ubuntu1.18
  From: openssl/libssl3@3.0.2-0ubuntu1.18
  From: ca-certificates@20240203~22.04.1 > openssl@3.0.2-0ubuntu1.18 > openssl/libssl3@3.0.2-0ubuntu1.18
  From: openssl@3.0.2-0ubuntu1.18
  and 1 more...

✗ Low severity vulnerability found in glibc/libc6
  Description: Allocation of Resources Without Limits or Throttling
  Info: https://security.snyk.io/vuln/SNYK-UBUNTU2204-GLIBC-2801292
  Introduced through: glibc/libc6@2.35-0ubuntu3.8, base-files@12ubuntu4.7, zlib/zlib1g@1:1.2.11.dfsg-2ubuntu9.2, ca-certificates@20240203~22.04.1
  From: glibc/libc6@2.35-0ubuntu3.8
  From: base-files@12ubuntu4.7 > glibc/libc6@2.35-0ubuntu3.8
  From: zlib/zlib1g@1:1.2.11.dfsg-2ubuntu9.2 > glibc/libc6@2.35-0ubuntu3.8
  and 2 more...



Organization:      kaovilai
Package manager:   deb
Project name:      docker-image|velero/velero
Docker image:      velero/velero:main
Platform:          linux/arm64
Licenses:          enabled

Tested 8 dependencies for known issues, found 2 issues.

Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice.
Example: $ snyk container test velero/velero:main --file=path/to/Dockerfile

To remove this message in the future, please run `snyk config set disableSuggestions=true`

-------------------------------------------------------

Testing velero/velero:main...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /usr/bin/restic
Project name:      github.com/restic/restic
Docker image:      velero/velero:main
Licenses:          enabled

✔ Tested 261 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing velero/velero:main...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /velero
Project name:      github.com/vmware-tanzu/velero
Docker image:      velero/velero:main
Licenses:          enabled

✔ Tested 1037 dependencies for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing velero/velero:main...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /velero-helper
Project name:      github.com/vmware-tanzu/velero
Docker image:      velero/velero:main
Licenses:          enabled

✔ Tested velero/velero:main for known issues, no vulnerable paths found.

-------------------------------------------------------

Testing velero/velero:main...

Organization:      kaovilai
Package manager:   gomodules
Target file:       /velero-restore-helper
Project name:      github.com/vmware-tanzu/velero
Docker image:      velero/velero:main
Licenses:          enabled

✔ Tested velero/velero:main for known issues, no vulnerable paths found.


Tested 5 projects, 1 contained vulnerable paths.

There is nothing for velero to do to resolve these.

[derrick-roach]

Thanks @kaovilai

Does velero use the vulnerable libraries or functions in the identified vulnerabilities in the snyk results?

[kaovilai]

The container does contain those libs. Per above comment there's no actionable items at this time.

I cannot confirm if they're used or not.

[kaovilai]

Per Ubuntu they won't fix it

They labeled cve as negligible.

Technically a security problem, but only theoretical in nature, requires a very special situation, has almost no install base, or does no real damage. These typically will not receive security updates unless there is an easy fix and some other issue causes an update.

[derrick-roach]

Thanks again @kaovilai, I appreciate your response