-
Bug
-
Resolution: Unresolved
-
Major
-
3.20.0.GA
-
None
-
False
-
-
False
-
-
Konflux Integration tests are failed on Plugin Registry build because of CVEs.
Violations (Jinja2):
- CVE-2024-56201 - https://github.com/advisories/GHSA-gmj6-6f8f-6699
- CVE-2024-56326 - https://github.com/advisories/GHSA-q2x7-8rv6-6q7h
✕ [Violation] cve.cve_blockers ImageRef: quay.io/redhat-user-workloads/devspaces-tenant/devspaces/pluginregistry@sha256:6d608f98192c5b380d21a492da85ee8f8b0a0d58ea632cba1ed41876ce94dd1b Reason: Found "GHSA-gmj6-6f8f-6699" vulnerability of high security level Title: Blocking CVE check Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level. To exclude this rule add "cve.cve_blockers:GHSA-gmj6-6f8f-6699" to the `exclude` section of the policy configuration. Solution: Make sure to address any CVE's related to the image. ✕ [Violation] cve.cve_blockers ImageRef: quay.io/redhat-user-workloads/devspaces-tenant/devspaces/pluginregistry@sha256:6d608f98192c5b380d21a492da85ee8f8b0a0d58ea632cba1ed41876ce94dd1b Reason: Found "GHSA-q2x7-8rv6-6q7h" vulnerability of high security level Title: Blocking CVE check Description: The SLSA Provenance attestation for the image is inspected to ensure CVEs that have a known fix and meet a certain security level have not been detected. If detected, this policy rule will fail. By default, only CVEs of critical and high security level cause a failure. This is configurable by the rule data key `restrict_cve_security_levels`. The available levels are critical, high, medium, low, and unknown. In addition to that leeway can be granted per severity using the `cve_leeway` rule data key containing days of allowed leeway, measured as time between found vulnerability's public disclosure date and current effective time, per severity level. To exclude this rule add "cve.cve_blockers:GHSA-q2x7-8rv6-6q7h" to the `exclude` section of the policy configuration. Solution: Make sure to address any CVE's related to the image.
