Created
November 13, 2023 19:42
-
-
Save dlorenc/3746d7594e89e8ffaf60dd6fe7320926 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| % snyk container test cgr.dev/chainguard/metrics-server | |
| Testing cgr.dev/chainguard/metrics-server... | |
| Organization: lorenc.d | |
| Package manager: apk | |
| Project name: docker-image|cgr.dev/chainguard/metrics-server | |
| Docker image: cgr.dev/chainguard/metrics-server | |
| Platform: linux/arm64 | |
| Licenses: enabled | |
| ✔ Tested 3 dependencies for known issues, no vulnerable paths found. | |
| ------------------------------------------------------- | |
| Testing cgr.dev/chainguard/metrics-server... | |
| ✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp | |
| Description: Allocation of Resources Without Limits or Throttling | |
| Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5963583 | |
| Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.20.0 | |
| From: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.20.0 | |
| Fixed in: 0.44.0 | |
| ✗ High severity vulnerability found in go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp | |
| Description: Allocation of Resources Without Limits or Throttling | |
| Info: https://security.snyk.io/vuln/SNYK-GOLANG-GOOPENTELEMETRYIOCONTRIBINSTRUMENTATIONNETHTTPOTELHTTP-5971109 | |
| Introduced through: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.20.0 | |
| From: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.20.0 | |
| Fixed in: 0.44.0 | |
| Organization: lorenc.d | |
| Package manager: gomodules | |
| Target file: /usr/bin/metrics-server | |
| Project name: sigs.k8s.io/metrics-server | |
| Docker image: cgr.dev/chainguard/metrics-server | |
| Licenses: enabled | |
| Tested 684 dependencies for known issues, found 2 issues. | |
| Snyk wasn’t able to auto detect the base image, use `--file` option to get base image remediation advice. | |
| Example: $ snyk container test cgr.dev/chainguard/metrics-server --file=path/to/Dockerfile | |
| Snyk found some vulnerabilities in your image applications (Snyk searches for these vulnerabilities by default). See https://snyk.co/app-vulns for more information. | |
| To remove these messages in the future, please run `snyk config set disableSuggestions=true` | |
| Tested 2 projects, 1 contained vulnerable paths. | |
| % docker scout cves cgr.dev/chainguard/metrics-server | |
| ! New version 1.0.9 available (installed version is 1.0.7) at https://github.com/docker/scout-cli | |
| ✓ SBOM of image already cached, 94 packages indexed | |
| ✗ Detected 4 vulnerable packages with a total of 4 vulnerabilities | |
| ## Overview | |
| │ Analyzed Image | |
| ────────────────────┼───────────────────────────────────────────── | |
| Target │ cgr.dev/chainguard/metrics-server:latest | |
| digest │ 32f90b0925c0 | |
| platform │ linux/arm64 | |
| vulnerabilities │ 0C 2H 2M 0L | |
| size │ 16 MB | |
| packages │ 94 | |
| ## Packages and Vulnerabilities | |
| 0C 1H 0M 0L go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc 0.20.0 | |
| pkg:golang/go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc@0.20.0 | |
| ✗ HIGH CVE-2023-47108 [Allocation of Resources Without Limits or Throttling] | |
| https://scout.docker.com/v/CVE-2023-47108 | |
| Affected range : <0.46.0 | |
| Fixed version : 0.46.0 | |
| CVSS Score : 7.5 | |
| CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
| 0C 1H 0M 0L go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp 0.20.0 | |
| pkg:golang/go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@0.20.0 | |
| ✗ HIGH CVE-2023-45142 [Allocation of Resources Without Limits or Throttling] | |
| https://scout.docker.com/v/CVE-2023-45142 | |
| Affected range : <0.44.0 | |
| Fixed version : 0.44.0 | |
| CVSS Score : 7.5 | |
| CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
| 0C 0H 1M 0L k8s.io/apiserver 0.23.17 | |
| pkg:golang/k8s.io/apiserver@0.23.17 | |
| ✗ MEDIUM CVE-2020-8552 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] | |
| https://scout.docker.com/v/CVE-2020-8552 | |
| Affected range : <1.15.10 | |
| Fixed version : 1.15.10, 1.16.7, 1.17.3 | |
| CVSS Score : 4.3 | |
| CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L | |
| 0C 0H 1M 0L github.com/prometheus/prometheus 2.5.0+incompatible | |
| pkg:golang/github.com/prometheus/prometheus@2.5.0+incompatible | |
| ✗ MEDIUM CVE-2019-3826 [OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities] | |
| https://scout.docker.com/v/CVE-2019-3826 | |
| Affected range : <v2.7.1 | |
| Fixed version : v2.7.1 | |
| CVSS Score : 6.1 | |
| CVSS Vector : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | |
| 4 vulnerabilities found in 4 packages | |
| LOW 0 | |
| MEDIUM 2 | |
| HIGH 2 | |
| CRITICAL 0 | |
| What's Next? | |
| View base image update recommendations → docker scout recommendations cgr.dev/chainguard/metrics-server:latest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment