• Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: High High
    • None
    • None
    • sandboxed-containers
    • None
    • CVEs clean up
    • False
    • None
    • False
    • Not Selected
    • To Do
    • 0% To Do, 0% In Progress, 100% Done
    • No
    • 0
    • 0

      Epic Goal

      • Fix the current list of CVEs opened against Sandboxed Containers

      Why is this important?

      • As a security product, we want to be as clean as possible of CVEs and security issues
      • As a company, Red Hat has a couple of SLAs standards to follow.  In a nutshell, moderate issues should be fixed within 90 days window and a couple of the issues opened are open for more than a year

      Scenarios

      1. https://issues.redhat.com/issues/?filter=12443934&jql=Labels%20%3D%20SecurityTracking%20and%20project%20in%20(OCPBUGS%2C%20PROJQUAY%2C%20ROX)%20and%20statusCategory%20!%3D%20Done%20and%20Duedate%20%3C%3D%20now()%20and%20level%20!%3D%20%22Embargoed%20Security%20Issue%22%20and%20project%20%3D%20OCPBUGS%20and%20project%20%3D%20OCPBUGS%20and%20component%20%3D%20sandboxed-containers%20order%20by%20due%20asc

      Acceptance Criteria 

      (The Epic is complete when...)

      1. Current CVEs fixes are implemented and tested.

      Additional context:

      After a quick investigation, looks like most CVEs are dependencies of dependencies in go code.  ATM goproxy, opentelemetry, protobuff and a couple of other sub dependencies needs to be bumped. We can blindly bump them or bump the libraries that are using those things.

      • Updating go.mod to either replace sub-dependencies ( using replace() ) or preferred to update the actual dependencies in the require list to avoid older sub-deps. eg: By using  go mod graph I can see who's pulling otelhttp@v0.20.0, neweer versions of that library should be using otelhttp 0.44

              rhgkurz Greg Kurz
              ddepaula@redhat.com Danilo de Paula
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: