Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define process to detect, fix and release critical issues on released fleetdm/fleet docker images. #25902

Open
lucasmrod opened this issue Jan 30, 2025 · 1 comment
Open

Define process to detect, fix and release critical issues on released fleetdm/fleet docker images. #25902

lucasmrod opened this issue Jan 30, 2025 · 1 comment
Assignees
@lukeheath
Labels
~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. #g-orchestration Orchestration product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~risk-reduction Related to improvements that could help reduce risk of outages, security, privacy, or trust issues.

Comments

@lucasmrod
Copy link
Member

lucasmrod commented Jan 30, 2025
edited
Loading

Goal

Fleet to detect vulnerabilities in released fleetdm/fleet docker images (instead of our customers/users reporting them to us), e.g. #25748.

We need to:

  • Add a process (daily github action) that detects vulnerabilities on our released docker images. (e.g. using trivy).
  • Define a process to disclose any (public) found vulnerabilities to customers/users using fleetdm/fleet images (e.g. a status.md somewhere on our repository).
  • Define a process and SLA to fix vulnerabilities on released docker images with CRITICAL vulnerabilities (e.g. by providing new patch releases?).

Examples:

trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.62.3

usr/bin/fleetctl (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────
 ─────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                    Title                     │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────
 ─────┤
│ github.com/go-git/go-git/v5 │ CVE-2025-21613 │ CRITICAL │ fixed  │ v5.11.0           │ 5.13.0        │ go-git: argument injection via the URL field │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-21613   │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────
 ─────┘

# All of these have the same output (same vulnerabilities)
trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.61.0
trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.60.1
trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.59.1
trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.58.0
trivy image --ignore-unfixed --pkg-types os,library --severity CRITICAL fleetdm/fleet:v4.57.3

usr/bin/fleet (gobinary)

Total: 1 (CRITICAL: 1)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto │ CVE-2024-45337 │ CRITICAL │ fixed  │ v0.28.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                     │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                     │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                     │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

usr/bin/fleetctl (gobinary)

Total: 2 (CRITICAL: 2)

┌─────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│           Library           │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├─────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ github.com/go-git/go-git/v5 │ CVE-2025-21613 │ CRITICAL │ fixed  │ v5.11.0           │ 5.13.0        │ go-git: argument injection via the URL field           │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-21613             │
├─────────────────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ golang.org/x/crypto         │ CVE-2024-45337 │          │        │ v0.28.0           │ 0.31.0        │ golang.org/x/crypto/ssh: Misuse of                     │
│                             │                │          │        │                   │               │ ServerConfig.PublicKeyCallback may cause authorization │
│                             │                │          │        │                   │               │ bypass in golang.org/x/crypto                          │
│                             │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-45337             │
└─────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

PS: Our process should start with CRITICAL vulnerabilities and then iterate to HIGH severity later.
@lucasmrod lucasmrod added #g-orchestration Orchestration product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. ~risk-reduction Related to improvements that could help reduce risk of outages, security, privacy, or trust issues. labels Jan 30, 2025
@lukeheath
Copy link
Member

@lucasmrod Great idea, thanks for filing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukeheath lukeheath

Labels
~engineering-initiated Engineering-initiated story, such as a bug, refactor, or contributor experience improvement. #g-orchestration Orchestration product group :release Ready to write code. Scheduled in a release. See "Making changes" in handbook. ~risk-reduction Related to improvements that could help reduce risk of outages, security, privacy, or trust issues.
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lucasmrod @lukeheath