Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25992

[RFE] successful with warnings are shown when fips scan testing is done for KDO

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • None
    • 4.15
    • descheduler
    • None
    • Moderate
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      Description of problem:
      Below warnings with successful runs are seen when fips security scan testing is done for KDO.

      $  sudo ./check-payload scan operator --spec registry-proxy.engineering.redhat.com/rh-osbs/kube-descheduler-operator-rhel-9:v5.0-4
[sudo] password for jchaloup: 
I0103 12:27:45.854647 3123639 main.go:271] using config file: config.toml
I0103 12:27:45.854684 3123639 types_config.go:12] using config &{Components:[] FailOnWarnings:false FilterFile: FromFile: FromURL: InsecurePull:false Limit:-1 ContainerImageComponent: ContainerImage: OutputFile: OutputFormat:table Parallelism:5 Java:false PrintExceptions:false PullSecret: TimeLimit:1h0m0s Verbose:false UseRPMScan:false ConfigFile:{FilterFiles:[] FilterDirs:[/lib/firmware /lib/modules /usr/lib/.build-id /usr/lib/firmware /usr/lib/grub /usr/lib/modules /usr/share/app-info /usr/share/doc /usr/share/fonts /usr/share/icons /usr/share/openshift /usr/src/plugins /rootfs /sysroot] FilterImages:[] JavaDisabledAlgorithms:[DH keySize < 2048 TLSv1.1 TLSv1 SSLv3 SSLv2 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 DHE_DSS RSA_EXPORT DHE_DSS_EXPORT DHE_RSA_EXPORT DH_DSS_EXPORT DH_RSA_EXPORT DH_anon ECDH_anon DH_RSA DH_DSS ECDH 3DES_EDE_CBC DES_CBC RC4_40 RC4_128 DES40_CBC RC2 HmacMD5] PayloadIgnores:map[openshift-enterprise-pod-container:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/bin/pod] Dirs:[]}]} operator-lifecycle-manager-container:{FilterFiles:[/usr/bin/cpb /usr/bin/copy-content] FilterDirs:[] ErrIgnores:[]} ose-olm-rukpak-container:{FilterFiles:[/unpack] FilterDirs:[] ErrIgnores:[]}] TagIgnores:map[] RPMIgnores:map[containernetworking-plugins:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[] Dirs:[/usr/libexec/cni]}]} cri-o:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crio /usr/bin/crio-status] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/bin/pinns] Dirs:[]}]} cri-tools:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/crictl] Dirs:[]}]} glibc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/ldconfig /sbin/ldconfig] Dirs:[]}]} glibc-common:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/sbin/build-locale-archive] Dirs:[]}]} ignition:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/lib/dracut/modules.d/30ignition/ignition] Dirs:[]}]} podman:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/podman /usr/libexec/podman/quadlet /usr/libexec/podman/rootlessport] Dirs:[]} {Error:ErrNotDynLinked Files:[/usr/libexec/podman/catatonit] Dirs:[]}]} podman-catatonit:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrNotDynLinked Files:[/usr/libexec/catatonit/catatonit] Dirs:[]}]} runc:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/runc] Dirs:[]}]} skopeo:{FilterFiles:[] FilterDirs:[] ErrIgnores:[{Error:ErrGoMissingTag Files:[/usr/bin/skopeo] Dirs:[]}]}] ErrIgnores:[]}}
I0103 12:27:45.854729 3123639 main.go:101] "scan" version="0.3.1-55-g3f6c44b9"
I0103 12:27:51.730668 3123639 scan.go:325] "scanning warning" image="registry-proxy.engineering.redhat.com/rh-osbs/kube-descheduler-operator-rhel-9:v5.0-4" path="/usr/bin/cluster-kube-descheduler-operator" error="go binary has no build tags set (should have strictfipsruntime)" component="kube-descheduler-operator-container" tag="" rpm="" status="warning"
---- Warning Report
+-------------------------------------+--------------------------------------------+-----------------------------------------------------------------+---------------------------------------------------------------------------------------+
| OPERATOR NAME                       | EXECUTABLE NAME                            | STATUS                                                          | IMAGE                                                                                 |
+-------------------------------------+--------------------------------------------+-----------------------------------------------------------------+---------------------------------------------------------------------------------------+
| kube-descheduler-operator-container | /usr/bin/cluster-kube-descheduler-operator | go binary has no build tags set (should have strictfipsruntime) | registry-proxy.engineering.redhat.com/rh-osbs/kube-descheduler-operator-rhel-9:v5.0-4 |
+-------------------------------------+--------------------------------------------+-----------------------------------------------------------------+---------------------------------------------------------------------------------------+
---- Successful run with warnings

            jchaloup@redhat.com Jan Chaloupka
            knarra@redhat.com Rama Kasturi Narra
            Rama Kasturi Narra Rama Kasturi Narra
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: