Address all vulnerabilities flagged on the published images

[ahg-g]

I have vulnerability detection enabled on my artifact registry: https://pantheon.corp.google.com/artifacts/docker/ahg-gke-dev/us-central1/jobset2/epp/sha256:e2ee744813f1ba63b5cc18cc5aa08a1c220d66cd9385f66d67b3a7f44e5f9b11;tab=vulnerabilities?e=-13802955&inv=1&invt=Abpmag&mods=monitoring_api_prod

There are plenty that we need to address before the next release.

[tchap]

Is there a way to share the list with people that cannot access the output, if it makes sense?

[ahg-g]

Here is a copy of the critical/high ones:

CVE-2021-35942	Critical	9.1	Yes	Unspecified	glibc	OS	View fix
CVE-2021-33574	Critical	9.8	Yes	Unspecified	glibc	OS	View fix
CVE-2022-23219	Critical	9.8	Yes	Unspecified	glibc	OS	View fix
CVE-2022-23218	Critical	9.8	Yes	Unspecified	glibc	OS	View fix
CVE-2022-4450	High	7.5	Yes	Unspecified	openssl	OS	View fix
CVE-2023-0215	High	7.5	Yes	Unspecified	openssl	OS	View fix
CVE-2020-1752	High	7	Yes	Unspecified	glibc	OS	View fix
CVE-2021-3326	High	7.5	Yes	Unspecified	glibc	OS	View fix
CVE-2023-0464	High	7.5	Yes	Unspecified	openssl	OS	View fix
CVE-2021-3999	High	7.8	Yes	Unspecified	glibc	OS	View fix
CVE-2023-0286	High	7.4	Yes	Unspecified	openssl	OS

CVE-2021-35942 Critical 9.1 Yes Unspecified glibc OS
CVE-2021-33574 Critical 9.8 Yes Unspecified glibc OS
CVE-2022-23219 Critical 9.8 Yes Unspecified glibc OS
CVE-2022-23218 Critical 9.8 Yes Unspecified glibc OS
CVE-2022-4450 High 7.5 Yes Unspecified openssl OS
CVE-2023-0215 High 7.5 Yes Unspecified openssl OS
CVE-2020-1752 High 7 Yes Unspecified glibc OS
CVE-2021-3326 High 7.5 Yes Unspecified glibc OS
CVE-2023-0464 High 7.5 Yes Unspecified openssl OS
CVE-2021-3999 High 7.8 Yes Unspecified glibc OS
CVE-2023-0286 High 7.4 Yes Unspecified openssl OS

[ahg-g]

and a copy of the medium/low ones:

CVE-2023-3446	Medium	5.3	Yes	Unspecified	openssl	OS	View fix
CVE-2020-10029	Medium	5.5	Yes	Unspecified	glibc	OS	View fix
CVE-2023-0466	Medium	5.3	Yes	Unspecified	openssl	OS	View fix
CVE-2020-27618	Medium	5.5	Yes	Unspecified	glibc	OS	View fix
CVE-2023-0465	Medium	5.3	Yes	Unspecified	openssl	OS	View fix
CVE-2022-2097	Medium	5.3	Yes	Unspecified	openssl	OS	View fix
CVE-2019-25013	Medium	5.9	Yes	Unspecified	glibc	OS	View fix
CVE-2022-4304	Medium	5.9	Yes	Unspecified	openssl	OS	View fix
CVE-2023-3817	Medium	5.3	Yes	Unspecified	openssl	OS	View fix
CVE-2023-2650	Medium	6.5	Yes	Unspecified	openssl	OS	View fix
CVE-2021-27645	Low	2.5	Yes	Unspecified	glibc	OS	View fix
CVE-2019-19126	Low	3.3	Yes	Unspecified	glibc	OS	View fix
CVE-2020-6096	Low	8.1	Yes	Unspecified	glibc	OS	View fix
CVE-2016-10228	Low	5.9	Yes	Unspecified	glibc	OS	View fix
CVE-2024-2961	Unspecified	0	Yes	Unspecified	glibc	OS

CVE-2023-3446 Medium 5.3 Yes Unspecified openssl OS
CVE-2020-10029 Medium 5.5 Yes Unspecified glibc OS
CVE-2023-0466 Medium 5.3 Yes Unspecified openssl OS
CVE-2020-27618 Medium 5.5 Yes Unspecified glibc OS
CVE-2023-0465 Medium 5.3 Yes Unspecified openssl OS
CVE-2022-2097 Medium 5.3 Yes Unspecified openssl OS
CVE-2019-25013 Medium 5.9 Yes Unspecified glibc OS
CVE-2022-4304 Medium 5.9 Yes Unspecified openssl OS
CVE-2023-3817 Medium 5.3 Yes Unspecified openssl OS
CVE-2023-2650 Medium 6.5 Yes Unspecified openssl OS
CVE-2021-27645 Low 2.5 Yes Unspecified glibc OS
CVE-2019-19126 Low 3.3 Yes Unspecified glibc OS
CVE-2020-6096 Low 8.1 Yes Unspecified glibc OS
CVE-2016-10228 Low 5.9 Yes Unspecified glibc OS
CVE-2024-2961 Unspecified 0 Yes Unspecified glibc OS

[ahg-g]

so it seems all of them are related to glibc, not sure how we force an update for it?

[ahg-g]

Actually, we do set an envvar to disable golibc: https://github.com/kubernetes-sigs/gateway-api-inference-extension/blob/main/Dockerfile#L8; but it doesn't seem this is actually taking effect?

[ahg-g]

It turns out the issue is with the base image, I sent out #384