-
Epic
-
Resolution: Unresolved
-
High
-
None
-
None
-
None
-
CVEs clean up
-
False
-
None
-
False
-
Not Selected
-
To Do
-
0% To Do, 0% In Progress, 100% Done
-
-
-
No
-
0
-
0
Epic Goal
- Fix the current list of CVEs opened against Sandboxed Containers
Why is this important?
- As a security product, we want to be as clean as possible of CVEs and security issues
- As a company, Red Hat has a couple of SLAs standards to follow. In a nutshell, moderate issues should be fixed within 90 days window and a couple of the issues opened are open for more than a year
Scenarios
Acceptance Criteria
(The Epic is complete when...)
- Current CVEs fixes are implemented and tested.
Additional context:
After a quick investigation, looks like most CVEs are dependencies of dependencies in go code. ATM goproxy, opentelemetry, protobuff and a couple of other sub dependencies needs to be bumped. We can blindly bump them or bump the libraries that are using those things.
- Updating go.mod to either replace sub-dependencies ( using replace() ) or preferred to update the actual dependencies in the require list to avoid older sub-deps. eg: By using go mod graph I can see who's pulling otelhttp@v0.20.0, neweer versions of that library should be using otelhttp 0.44