Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Updated the trivy bundles #3107

Closed
wants to merge 1 commit into from
Closed

feat: Updated the trivy bundles #3107

wants to merge 1 commit into from

Conversation

ArvinderPal09
Copy link
Contributor

@ArvinderPal09 ArvinderPal09 commented Feb 4, 2025
edited
Loading

Fixes the following cve:

  • docker.io/mesosphere/trivy-bundles:0.59.0-20250202T050536Z

arvinder.pal@GHH4XN27GC kommander-applications % trivy i docker.io/mesosphere/trivy-bundles:0.59.0-20250202T050536Z --severity=HIGH,CRITICAL
2025-02-04T10:04:24+05:30 INFO [vuln] Vulnerability scanning is enabled
2025-02-04T10:04:24+05:30 INFO [secret] Secret scanning is enabled
2025-02-04T10:04:24+05:30 INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
.
.
.
.
2025-02-04T10:04:57+05:30 INFO Detected OS family="wolfi" version="20230201"
2025-02-04T10:04:57+05:30 INFO [wolfi] Detecting vulnerabilities... pkg_num=9
2025-02-04T10:04:57+05:30 INFO Number of language-specific files num=1
2025-02-04T10:04:57+05:30 INFO [gobinary] Detecting vulnerabilities...
2025-02-04T10:04:57+05:30 WARN Using severities from other vendors for some vulnerabilities. Read https://aquasecurity.github.io/trivy/v0.55/docs/scanner/vulnerability#severity-selection for details.

docker.io/mesosphere/trivy-bundles:0.59.0-20250202T050536Z (wolfi 20230201)

Total: 0 (HIGH: 0, CRITICAL: 0)

@github-actions github-actions bot added services/nkp-insights size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 4, 2025
@mesosphere-ci mesosphere-ci added ok-to-test Signals mergebot that CI checks are ready to be kicked off update-licenses signals mergebot to update licenses.d2iq.yaml and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 4, 2025
@ArvinderPal09 ArvinderPal09 self-assigned this Feb 4, 2025
@coveralls
Copy link

Pull Request Test Coverage Report for Build 13128615653

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 51.703%
Totals Coverage Status
Change from base Build 13118767156: 0.0%
Covered Lines: 167
Relevant Lines: 323
💛 - Coveralls

@ArvinderPal09 ArvinderPal09 added open-kommander-pr Automatically triggers the creation of a PR in Kommander repo ready-for-review labels Feb 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

✅ Created Kommander branch to test kommander-applications changes: https://github.com/mesosphere/kommander/tree/kapps/main/trivy-bundles-cve-fix

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

✅ Created Kommander branch to test kommander-applications changes: https://github.com/mesosphere/kommander/tree/kapps/main/trivy-bundles-cve-fix

@kaiwalyajoshi
Copy link
Contributor

Hi @ArvinderPal09

Thank you for this PR, but we don't directly update the helm values in the k-apps repo for dkp-insights.

The correct way to do so, is to create and merge a PR in the dkp-insights repo, and then by cutting a new release: https://github.com/mesosphere/dkp-insights/actions/workflows/release.yml (Please reach about before doing so)

There's automation that correctly updates and sets the values that match the contents of this PR.

Otherwise in the next release, the automation will override the contents here.

I will close this PR as #3115 landed these changes via automation (along with others).

Feel free to land changes within the dkp-insights repository as needed.

cc @mhrabovcin

@ArvinderPal09
Copy link
Contributor Author

Hi @kaiwalyajoshi
Thanks for the input. I will proceed as suggested.

I was not aware of the flow I will keep this is mind for any future changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaiwalyajoshi kaiwalyajoshi Awaiting requested review from kaiwalyajoshi

@mhrabovcin mhrabovcin Awaiting requested review from mhrabovcin

Assignees

@ArvinderPal09 ArvinderPal09

Labels
do-not-merge ok-to-test Signals mergebot that CI checks are ready to be kicked off open-kommander-pr Automatically triggers the creation of a PR in Kommander repo ready-for-review services/nkp-insights update-licenses signals mergebot to update licenses.d2iq.yaml
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ArvinderPal09 @coveralls @kaiwalyajoshi @mesosphere-ci