Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: nginx patched image with fixed CVE #2631

Closed
wants to merge 4 commits into from
Closed

fix: nginx patched image with fixed CVE #2631

wants to merge 4 commits into from

Conversation

SandhyaRavi2403
Copy link
Contributor

@SandhyaRavi2403 SandhyaRavi2403 commented Sep 12, 2024
edited
Loading

What problem does this PR solve?:
Updates nginxinc/nginx-unprivileged. from 1.25.5 to 1.27.1

arvinder.pal@GHH4XN27GC kommander-applications % trivy image nginxinc/nginx-unprivileged:1.27.1-alpine
2024-09-11T17:38:39+05:30 INFO [vuln] Vulnerability scanning is enabled
2024-09-11T17:38:39+05:30 INFO [secret] Secret scanning is enabled
2024-09-11T17:38:39+05:30 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-09-11T17:38:39+05:30 INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection
2024-09-11T17:38:42+05:30 INFO Detected OS family="alpine" version="3.20.3"
2024-09-11T17:38:42+05:30 INFO [alpine] Detecting vulnerabilities... os_version="3.20" repository="3.20" pkg_num=66
2024-09-11T17:38:42+05:30 INFO Number of language-specific files num=0

nginxinc/nginx-unprivileged:1.27.1-alpine (alpine 3.20.3)

Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Which issue(s) does this PR fix?:
https://jira.nutanix.com/browse/NCN-102436

Does this PR introduce a user-facing change?:

Checklist

  • If the PR adds a version bump, ensure there is no breaking change in Licensing model (or NA).
  • If a chart is changed or app configuration is significantly changed, the chart version is correctly incremented (so that apps are not automatically upgraded from a previous version of DKP).

@github-actions github-actions bot added services/grafana-loki services/project-grafana-loki size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 12, 2024
@mesosphere-ci mesosphere-ci added ok-to-test Signals mergebot that CI checks are ready to be kicked off do-not-merge/testing Do not merge because there is still on-going testing open-kommander-pr Automatically triggers the creation of a PR in Kommander repo update-licenses signals mergebot to update licenses.d2iq.yaml labels Sep 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

✅ Created Kommander branch to test kommander-applications changes: https://github.com/mesosphere/kommander/tree/kapps/main/cve-unprivileged-nginx

@coveralls
Copy link

coveralls commented Sep 12, 2024
edited
Loading

Pull Request Test Coverage Report for Build 10934363283

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 51.515%
Totals Coverage Status
Change from base Build 10933166689: 0.0%
Covered Lines: 136
Relevant Lines: 264
💛 - Coveralls

@SandhyaRavi2403
Copy link
Contributor Author

@mhrabovcin
For the nginx image the changes required are in the below configs

  • ./services/grafana-loki/0.79.2/grafana-loki-helmrelease/grafana-loki.yaml

docker.io/grafana/loki:2.9.8
docker.io/nginxinc/nginx-unprivileged:1.27.1-alpine

  • ./services/grafana-loki/0.79.2/grafana-loki-helmrelease/grafana-loki.yaml

docker.io/grafana/loki:2.9.8
docker.io/nginxinc/nginx-unprivileged:1.27.1-alpine

but I could see the image available as part of git-operator as well

kommander-applications/services/git-operator/0.1.0/git-operator-manifests/all.yaml

Line 958 in b87c9b6

- image: ghcr.io/mesosphere/dkp-container-images/docker.io/nginxinc/nginx-unprivileged:1.25.5-alpine-d2iq.0

Do we have to make the changes in git-operator?

@ArvinderPal09
Copy link
Contributor

@dependant rebase

@ArvinderPal09 ArvinderPal09 removed the ok-to-test Signals mergebot that CI checks are ready to be kicked off label Sep 13, 2024
@mesosphere-ci mesosphere-ci added the ok-to-test Signals mergebot that CI checks are ready to be kicked off label Sep 13, 2024
@ArvinderPal09
Copy link
Contributor

@dependant rebase

@ArvinderPal09
Copy link
Contributor

@dependabot rebase

@SandhyaRavi2403 SandhyaRavi2403 force-pushed the cve-unprivileged-nginx branch 2 times, most recently from f32c99c to 2fed4d3 Compare September 17, 2024 08:03
@ArvinderPal09
Copy link
Contributor

@mhrabovcin please review the PR.

mhrabovcin
mhrabovcin reviewed Sep 17, 2024
View reviewed changes
services/git-operator/0.1.0/git-operator-manifests/all.yaml Outdated
- image: ghcr.io/mesosphere/dkp-container-images/docker.io/nginxinc/nginx-unprivileged:1.25.5-alpine-d2iq.0
- image: docker.io/nginxinc/nginx-unprivileged:1.27.1-alpine
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this change needs to be reverted in this pr. this will be part of git-operator bump PR.

mhrabovcin
mhrabovcin reviewed Sep 17, 2024
View reviewed changes
services/grafana-loki/0.79.3/defaults/cm.yaml Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SandhyaRavi2403 do we need to bump the grafana version number here?

Copy link
Contributor Author

@SandhyaRavi2403 SandhyaRavi2403 Sep 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have't updated for the previous cve fix.

mhrabovcin
mhrabovcin reviewed Sep 17, 2024
View reviewed changes
services/project-grafana-loki/0.79.3/defaults/cm.yaml Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@SandhyaRavi2403 do we need to bump the grafana version number here?

@github-actions github-actions bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 19, 2024
@SandhyaRavi2403 SandhyaRavi2403 force-pushed the cve-unprivileged-nginx branch 2 times, most recently from 3593af6 to 5431d67 Compare September 19, 2024 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mhrabovcin mhrabovcin mhrabovcin left review comments

Assignees

@ArvinderPal09 ArvinderPal09

Labels
do-not-merge/testing Do not merge because there is still on-going testing ok-to-test Signals mergebot that CI checks are ready to be kicked off open-kommander-pr Automatically triggers the creation of a PR in Kommander repo services/git-operator services/grafana-loki services/project-grafana-loki size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. update-licenses signals mergebot to update licenses.d2iq.yaml
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@SandhyaRavi2403 @coveralls @ArvinderPal09 @mhrabovcin @mesosphere-ci