Skip to content

Ignore false fixable vulnerabilities#847

Merged
parametalol merged 7 commits intorelease/3.69.xfrom
michael/3-69-0-allowed-vulns
Mar 9, 2022
Merged

Ignore false fixable vulnerabilities#847
parametalol merged 7 commits intorelease/3.69.xfrom
michael/3-69-0-allowed-vulns

Conversation

@parametalol
Copy link
Copy Markdown
Contributor

@parametalol parametalol commented Mar 8, 2022

Ignoring some vulnerabilities due to Quay reporting them fixable on latest ubi8:8.5.

@ghost
Copy link
Copy Markdown

ghost commented Mar 8, 2022
edited by ghost
Loading

Tag for build #286963 is 3.69.0-rc.1-7-ga128d25dc3.

💻 For deploying this image using the dev scripts, run the following first:

export MAIN_IMAGE_TAG='3.69.0-rc.1-7-ga128d25dc3'

📦 You can also generate an installation bundle with:

docker run -i --rm stackrox/main:3.69.0-rc.1-7-ga128d25dc3 central generate interactive > bundle.zip

🕹️ A roxctl binary artifact can be downloaded from CircleCI.

misberner
misberner approved these changes Mar 8, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@misberner misberner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but could you temporarily comment out the

            branches:
              ignore: /.*/

stanza for the scan-images-in-quay job? Should be around l.5131 in .circleci/config.yml. Just to make sure that it now passes.

@parametalol
Copy link
Copy Markdown
Contributor Author

parametalol commented Mar 8, 2022

release/scripts/vuln_check.sh script results:

Trying to get any fixable vulns for the scanned image
main:3.69.0-rc.1-4-g4c61bc2903 has fixable vulns!:
  Allowing SNYK-PYTHON-URLLIB3-174323 because it matches {"vuln":"SNYK-PYTHON-URLLIB3-174323","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
  Allowing SNYK-PYTHON-URLLIB3-1014645 because it matches {"vuln":"SNYK-PYTHON-URLLIB3-1014645","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
  Allowing SNYK-PYTHON-URLLIB3-1533435 because it matches {"vuln":"SNYK-PYTHON-URLLIB3-1533435","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
  Allowing pyup.io-38834 (CVE-2020-26137) because it matches {"vuln":"pyup.io-38834 (CVE-2020-26137)","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
  Allowing pyup.io-38834 (CVE-2020-26137) because it matches {"vuln":"pyup.io-38834 (CVE-2020-26137)","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
  Allowing pyup.io-38834 (CVE-2020-26137) because it matches {"vuln":"pyup.io-38834 (CVE-2020-26137)","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
  Allowing pyup.io-43975 (CVE-2021-33503) because it matches {"vuln":"pyup.io-43975 (CVE-2021-33503)","image":".*","tag":".*","reason":"This is a Quay false fixable on ubi8:8.5"}.
Fetching current image id from quay for docs:d4821715-f57a81c2-b6d8cf96
Getting scan status
curl: (22) The requested URL returned error: 500 

Exited with code exit status 22
CircleCI received exit code 22

@parametalol parametalol merged commit 8781d51 into release/3.69.x Mar 9, 2022
@parametalol parametalol deleted the michael/3-69-0-allowed-vulns branch March 9, 2022 10:54
@misberner
Copy link
Copy Markdown
Contributor

misberner commented Mar 9, 2022

@0x656b694d for future reference: unless a change is specific to one release (which this one isn't), please always merge PRs into master and cherry-pick them into the release branch.

@msugakov
Copy link
Copy Markdown
Contributor

msugakov commented Mar 10, 2022

@0x656b694d Was the decision intentional to not merge this one into master? What may prevent us from merging the same change to master?

rukletsov pushed a commit that referenced this pull request Mar 11, 2022
@rukletsov
Ignore false fixable vulnerabilities (#847)
0f7fcc7 
(cherry picked from commit 8781d51)
@parametalol
Copy link
Copy Markdown
Contributor Author

parametalol commented Mar 11, 2022

I considered the only change to go to master to be #825 (which I cherry-picked here), and not the temporary workaround for false fixable.

rukletsov added a commit that referenced this pull request Mar 11, 2022
@rukletsov
Ignore false fixable vulnerabilities (#906)
0fb72f4 
(cherry picked from commit 8781d51) (#847)

Co-authored-by: Michaël <michael@redhat.com>
@msugakov
Copy link
Copy Markdown
Contributor

msugakov commented Mar 11, 2022

I'm really confused how #825 would address falsely found vulns. Data that's stored in quay wouldn't change if you change the way you get it, or am I wrong?
I imagine that #825 could help with 5xx errors from quay.io but that's separate from vulns that are successfully returned.

RTann pushed a commit that referenced this pull request Apr 6, 2022
@rukletsov
Ignore false fixable vulnerabilities (#906)
bc69828 
(cherry picked from commit 8781d51) (#847)

Co-authored-by: Michaël <michael@redhat.com>
@JoukoVirtanen JoukoVirtanen mentioned this pull request May 23, 2022
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@misberner misberner misberner approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@parametalol @misberner @msugakov @janisz