Create new trivial release to include CVE fix

[matttrach]

What happened:
Found CVE vulnerability when scanning snapshot-controller:v6.2.1 with Trivy related to golang.org/x/net module.
Trivy found CVE-2022-41723 which can be mitigated by upgrading net module to v0.7.0+.
I believe the offending code is in the client

What you expected to happen:
Trivy should not find any HIGH,CRITICAL CVEs when scanning artifacts.

How to reproduce it:

# trivy image --scanners vuln -s HIGH,CRITICAL registry.k8s.io/sig-storage/snapshot-controller:v6.2.1

2023-05-11T17:41:39.514Z        INFO    Vulnerability scanning is enabled
2023-05-11T17:41:41.175Z        INFO    Detected OS: debian
2023-05-11T17:41:41.175Z        INFO    Detecting Debian vulnerabilities...
2023-05-11T17:41:41.175Z        INFO    Number of language-specific files: 1
2023-05-11T17:41:41.175Z        INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/sig-storage/snapshot-controller:v6.2.1 (debian 11.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


snapshot-controller (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                     │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41723 │ HIGH     │ v0.4.0            │ 0.7.0         │ avoid quadratic complexity in HPACK decoding │
│                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41723   │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘

Anything else we need to know?:

Environment:

• OS (e.g. from /etc/os-release): Ubuntu 22.04.2 LTS
• Kernel (e.g. uname -a): 5.19.0-1024-aws
• Install tools: Docker
• Others: Trivy

[matttrach]

This has been potentially resolved in #824, but I don't see a release or an image produced which includes that commit.

[matttrach]

This also affects registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1

trivy image --scanners vuln -s HIGH,CRITICAL registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1
2023-05-11T18:29:44.819Z        INFO    Vulnerability scanning is enabled
2023-05-11T18:29:45.592Z        INFO    Detected OS: debian
2023-05-11T18:29:45.592Z        INFO    Detecting Debian vulnerabilities...
2023-05-11T18:29:45.592Z        INFO    Number of language-specific files: 1
2023-05-11T18:29:45.592Z        INFO    Detecting gobinary vulnerabilities...

registry.k8s.io/sig-storage/snapshot-validation-webhook:v6.2.1 (debian 11.6)

Total: 0 (HIGH: 0, CRITICAL: 0)


snapshot-validation-webhook (gobinary)

Total: 1 (HIGH: 1, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬───────────────────┬───────────────┬──────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Installed Version │ Fixed Version │                    Title                     │
├──────────────────┼────────────────┼──────────┼───────────────────┼───────────────┼──────────────────────────────────────────────┤
│ golang.org/x/net │ CVE-2022-41723 │ HIGH     │ v0.4.0            │ 0.7.0         │ avoid quadratic complexity in HPACK decoding │
│                  │                │          │                   │               │ https://avd.aquasec.com/nvd/cve-2022-41723   │
└──────────────────┴────────────────┴──────────┴───────────────────┴───────────────┴──────────────────────────────────────────────┘

[matttrach]

Looks like someone followed up on this in the sig-storage slack channel, posting a link here: https://kubernetes.slack.com/archives/C09QZFCE5/p1683794569848679
@xing-yang mentioned a new release ETA in a couple of weeks, I will check in periodically over the next few weeks and keep this issue up to date.

[matttrach]

I followed up with @xing-yang in slack today, they are still waiting on a few more PRs to get in, I asked for further clarification, but I will check up again in a week.

[matttrach]

#832
#833
#834

[xing-yang]

Release 6.2.2 will be available once this PR is merged: kubernetes/k8s.io#5334

[matttrach]

Thank you!

[adammw]

6.2.2 tags contain reference to the 6.2.1 images in the deploy manifests - is this expected?
https://github.com/kubernetes-csi/external-snapshotter/blob/v6.2.2/deploy/kubernetes/snapshot-controller/setup-snapshot-controller.yaml

[xing-yang]

@adammw When the release tag for 6.2.2 is cut, the images were built automatically with the 6.2.2 tag. The image tags in the deployment files are usually updated later. I'll be using canary images in the example deployment files in the future.

[matttrach]

@xing-yang, is the new version going to be backported to older kubernetes versions on the next patch release?

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

[k8s-ci-robot]

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Reopen this issue with /reopen
• Mark this issue as fresh with /remove-lifecycle rotten
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.