helm chartmuseum image vulnerabilities

[olivejing]

I used v0.13.1, helm chartmuseum image vulnerabilities were found during trivy scan.

LIBRARY	FIXED VERSION	VULNERABILITY ID	SEVERITY
github.com/containerd/containerd	v1.4.11, v1.5.7	CVE-2021-41103	HIGH
github.com/containerd/containerd	v1.4.8, v1.5.4	CVE-2021-32760	MEDIUM
github.com/dgrijalva/jwt-go	Unknown	CVE-2020-26160	HIGH
github.com/docker/cli	v20.10.9	CVE-2021-41092	HIGH
github.com/docker/distribution	v2.7.0-rc.0+incompatible	CVE-2017-11468	HIGH
github.com/opencontainers/runc	v1.0.0-rc8.0.20190930145003-cad42f6e0932	CVE-2019-16884	HIGH
github.com/opencontainers/runc	v1.0.0-rc9.0.20200122160610-2fc03cc11c77	CVE-2019-19921	HIGH
github.com/satori/go.uuid	v1.2.1-0.20181016170032-d91630c85102	GO-2020-0018	UNKNOWN

[cbuto]

hi @olivejing, most of these findings have been resolved and will be included in the next release. There are a few related to various transitive dependencies (like github.com/dgrijalva/jwt-go) that need to be tracked down.

[scbizu]

Also see https://artifacthub.io/packages/helm/chartmuseum/chartmuseum?modal=security-report for more image vulnerabilities .

[nerdeveloper]

is it better to use a versioned alpine image:

chartmuseum/Dockerfile

Line 1 in c2b91a0

FROM alpine:latest

Also by default, if we release 0.15.0, it is expected that It will use the latest version of alpine; which will automatically fix the vulnerability issue @cbuto Correct?

[cbuto]

@nerdeveloper yep a new release will pull the latest version.

All of these have been resolved besides CVE-2020-26160, but lets track that one in #567 and close this issue.

[scbizu]

@cbuto jwt-go is an indirect dependency and is included by our upstream's upstream :(

[scbizu]

I prefer to reopen this issue to track containerd's security issue reported by our dependabot bot here , and also depends on helm's upgrade helm/helm#10717

[cbuto]

@scbizu the containerd CVEs reported in this issue are different then the CVE that dependabot is reporting. These CVEs have been resolved.

[scbizu]

oh, sorry . Should we close this one and open a new issue to track ？

[cbuto]

No problem! Yeah it might be a good idea to track that one separately

[scbizu]

Closes this one due to the #568 will track all CVE issues