Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Patch vulnerabilities and exposures for the Verified Catalogs #1112

Open
QuanZhang-William opened this issue Dec 3, 2022 · 2 comments
Open

Patch vulnerabilities and exposures for the Verified Catalogs #1112

QuanZhang-William opened this issue Dec 3, 2022 · 2 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@QuanZhang-William
Copy link
Member

QuanZhang-William commented Dec 3, 2022
edited

In TEP-0115, we selected 5 resources to be supported at Verified support tier, where the @tektoncd/catalog-maintainers are expected to patch the detected CVEs.

In TEP-0079, we have proposed to use the Artifact Hub Scanner service (which uses Trivy) to generate vulnerability reports and displayed on the Artifact Hub.

Here is the list of resources (and the underlying images) that will be serviced at Verified tier:

The security reports for the above resources currently contains a bunch of CVEs, which should be addressed before we can claim these are the Verified Catalogs.

We can create separate issues to track the progress for each resource.

Steps to Reproduce the Problem

The Artifact Hub uses Trivy to scan the container images, you can get the same security report by running Trivy locally:

  1. Install Trivy
  2. run trivy image [container image name]

@tektoncd/catalog-maintainers
@tekton-robot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Mar 8, 2023
@vinamra28
Copy link
Member

/remove-lifecycle stale
/lifecycle frozen
this we might revisit in future

@tekton-robot tekton-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
Tekton Community Roadmap
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@QuanZhang-William @vinamra28 @tekton-robot