Vulnerabilities not shown in new releases #2441
-
|
We have released new versions of https://artifacthub.io/packages/helm/okteto/okteto and the vulnerabilities aren't showing. We've checked and didn't find any image not being private |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Hi @AgustinRamiroDiaz 👋 It looks like no containers images have been detected since version In cases where AH is not able to detect your containers images automatically, you can provide them manually with the artifacthub.io/images annotation. As soon as a new version of your package with containers images is indexed, it'll be scanned for security vulnerabilities again 🙂 |
Beta Was this translation helpful? Give feedback.
-
|
I find it weird that we didn't change almost anything regarding the images. Also, testing the regex against the source files I find a lot of matches. Has there been any changes lately in this behavior? Is it expected that the regex could fail? |
Beta Was this translation helpful? Give feedback.
-
|
Mmm no, that part of the code hasn't changed in a long time. I've run a quick test locally and it looks like the problem is that the Helm dry-run is failing on those versions (the regex is applied to the output of the dry-run, not to the sources directly). I got the error below when running it using the code linked above. You should be able to reproduce it with the Helm CLI tool. Versions < 1.1.0 have been processed fine, detecting the images as expected (all processed with the current version of the code). Hope this helps! |
Beta Was this translation helpful? Give feedback.
-
|
Thanks tegioz! Very kind of you 🙇 |
Beta Was this translation helpful? Give feedback.
-
|
@tegioz One more question. That error is due to a validation we've purposely added to our chart to reduce the number of installations with wrong configuration. What can we do to have the |
Beta Was this translation helpful? Give feedback.
-
|
I think the easiest way would be to define the container images used in the annotation mentioned in my first comment. |
Beta Was this translation helpful? Give feedback.
Hi @AgustinRamiroDiaz 👋
It looks like no containers images have been detected since version
1.1.0-rc.1. By default, Artifact Hub will try to extract the containers images used by Helm charts from the manifests generated from a dry-run install using the default values. This is done by using a regular expression that sometimes may not be able to identify them.In cases where AH is not able to detect your containers images automatically, you can provide them manually with the artifacthub.io/images annotation. As soon as a new version of your package with containers images is indexed, it'll be scanned for security vulnerabilities again 🙂