StarlingX

CVE: Container Images related to Portieris have one or more critical or high CVEs

Bug #2051611 reported by Ghada Khalil
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Jerry Sun

Bug Description

Brief Description
-----------------
The following images related to portieris are old and have CVEs:
- icr.io/portieris/portieris::v0.13.1
- docker.io/starlingx/portieris:stx.5.0-v0.7.0

The recommendation is to move to a new version of portieris (v0.13.10) and rebuild the StarlingX-built portieris image as it was last built in July 2020.

Severity
--------
Major - CVE / vulnerability issues

Steps to Reproduce
------------------
CVE scan using 3rd party tool

Expected Behavior
------------------
No/limited CVEs are reported

Actual Behavior
----------------
Many CVEs are reported

Reproducibility
---------------
Reproducible

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
The above images are used in all recent stx main branch builds

Last Pass
---------
N/A

Timestamp/Logs
--------------
Not Required

Test Activity
-------------
CVE scan

Workaround
----------
None

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Medium
assignee: nobody → Jerry Sun (jerry-sun-u)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to portieris-armada-app (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/portieris-armada-app/+/907333

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to portieris-armada-app (master)

Reviewed: https://review.opendev.org/c/starlingx/portieris-armada-app/+/907333
Committed: https://opendev.org/starlingx/portieris-armada-app/commit/444c592d616299f7e261e44c52e5a2a0c964fc99
Submitter: "Zuul (22348)"
Branch: master

commit 444c592d616299f7e261e44c52e5a2a0c964fc99
Author: Jerry Sun <email address hidden>
Date: Wed Jan 31 09:54:46 2024 -0500

    Upversion Portieris to 0.13.10

    This commit upversions Portieris to version 0.13.10. The upversioning
    addresses CVEs in the previons (0.13.1) Portieris image.

    The additional toleration is to allow Portieris pods to be scheduled.
    Without it, application apply fails. The taint used to be "master"
    in older releases, but has been changed to "control-plane". Keeping
    both for backwards compatibility and upgrades.

    Test Cases:

    PASS: Apply new verison of Portieris. Apply an imagepolicy. Ensure
          that a signed image can be used and an unsigned image is denied
          according to the imagepolicy.
    PASS: Remove all user created imagepolicies and try to use the
          unsigned image. Ensure that by default, unsigned images are
          allowed.

    Closes-bug: 2051611
    Change-Id: Id621d91ed41a705035713ff59439f59211e035f5
    Signed-off-by: Jerry Sun <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Ghada Khalil (gkhalil)
tags: added: stx.9.0 stx.apps stx.security
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.